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Preface 


My goal in writing this text has been to write an accessible and inviting introduction to 
number theory. Foremost, I wanted to create an effective tool for teaching and learning. 
I hoped to capture the richness and beauty of the subject and its unexpected usefulness. 
Number theory is both classical and modem, and, at the same time, both pure and applied. 
In this text, I have strived to capture these contrasting aspects of number theory. I have 
worked hard to integrate these aspects into one cohesive text. 

This book is ideal for an undergraduate number theory course at any level. No formal 
prerequisites beyond college algebra are needed for most of the material, other than 
some level of mathematical maturity. This book is also designed to be a source book 
for elementary number theory; it can serve as a useful supplement for computer science 
courses and as a primer for those interested in new developments in number theory and 
cryptography. Because it is comprehensive, it is designed to serve both as a textbook and 
as a lifetime reference for elementary number theory and its wide-ranging applications. 

This edition celebrates the silver anniversary of this book. Over the past 25 years, 
close to 1 00,000 students worldwide have studied number theory from previous editions. 
Each successive edition of this book has benefi ted from feedback and suggestions from 
many instructors, students, and reviewers. This new edition follows the same basic 
approach as all previous editions, but with many improvements and enhancements. I 
invite instructors unfamiliar with this book, or who have not looked at a recent edition, 
to carefully examine the sixth edition. I have confidence that you will appreciate the rich 
exercise sets, the fascinating biographical and historical notes, the up-to-date coverage, 
careful and rigorous proofs, the many helpful examples, the rich applications, the support 
for computational engines such as Maple and Mathematica, and the many resources 
available on the Web. 


Changes in the Sixth Edition 

The changes in the sixth edition have been designed to make the book easier to teach and 
learn from, more interesting and inviting, and as up-to-date as possible. Many of these 
changes were suggested by users and reviewers of the fifth edition. The following list 
highlights some of the more important changes in this edition. 
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• New discoveries 

This edition tracks recent discoveries of both a numerical and a theoretical nature. Among 
the new computational discoveries reflected in the sixth edition are four Mersenne primes 
and the latest evidence supporting many open conjectures. The Tao-Green theorem 
proving the existence of arbitrarily long arithmetic progressions of primes is one of the 
recent theoretical discoveries described in this edition. 

• Biographies and historical notes 

Biographies of Terence Tao, Etienne Bezout, Norman MacLeod Ferrers, Clifford Cocks, 
and Waclaw Sierpinski supplement the already extensive collection of biographies in the 
book. Surprising information about secret British cryptographic discoveries predating 
the work of Rivest, Shamir, and Adleman has been added. 

• Conjectures 

The treatment of conjectures throughout elementary number theory has been expanded, 
particularly those about prime numbers and diophantine equations. Both resolved and 
open conjectures are addressed. 

• Combinatorial number theory 

A new section of the book covers partitions, a fascinating and accessible topic in 
combinatorial number theory. This new section introduces such important topics as 
Ferrers diagrams, partition identies, and Ramanujan’s work on congruences. In this 
section, partition identities, including Euler’s important results, are proved using both 
generating functions and bijections. 

• Congruent numbers and elliptic curves 

A new section is devoted to the famous congruent number problem, which asks which 
positive integers are the area of a right triangle with rational side lengths. This section 
contains a brief introduction to elliptic curves and relates the congment number problem 
to finding rational points on certain elliptic curves. Also, this section relates the congment 
number problem to arithmetic progressions of three squares. 

• Geometric reasoning 

This edition introduces the use of geometric reasoning in the study of diophantine 
problems. In particular, new material shows that finding rational points on the unit circle 
is equivalent to finding Pythgaorean triples, and that finding rational triangles with a 
given integer as area is equivalent to finding rational points on an associated elliptic 
curve. 

• Cryptography 

This edition eliminates the unnecessary restriction that when the RSA cryptosystem is 
used to encrypt a plaintext message this message needs to be relatively prime to the 
modulus in the key. 
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• Greatest common divisors 

Greatest common divisors are now defined in the first chapter, as is what it means for 
two integers to be relatively prime. The term Bezout coefficients is now introduced and 
used in the book. 

• Jacobi symbols 

More motivation is provided for the usefulness of Jacobi symbols. In particular, an 
expanded discussion on the usefulness of the Jacobi symbol in evaluating Legendre 
symbols is now provided. 

• Enhanced exercise sets 

Extensive work has been done to improve exercise sets even farther. Several hundred 
new exercises, ranging from routine to challenging, have been added. Moreover, new 
computational and exploratory exercises can be found in this new edition. 

• Accurancy 

More attention than ever before has been paid to ensuring the accuracy of this edition. 
Two independent accuracy checkers have examined the entire text and the answers to 
exercises. 

• Web Site, www.pearsonhighered.com/rosen 

The Web site for this edition has been considerably expanded. Students and instructors 
will find many new resources they can use in conjunction with the book. Among the new 
features are an expanded collection of applets, a manual for using comptutional engines 
to explore number theory, and a Web page devoted to number theory news. 


Exercise Sets 

Because exercises are so important, a large percentage of my writing and revision work 
has been devoted to the exercise sets. Students should keep in mind that the best way to 
leam mathematics is to work as many exercises as possible. I will briefly describe the 
types of exercises found in this book and where to find answers and solutions. 

• Standard Exercises 

Many routine exercises are included to develop basic skills, with care taken so that 
both odd-numbered and even-numbered exercises of this type are included. A large 
number of intermediate-level exercises help students put several concepts together to 
form new results. Many other exercises and blocks of exercises are designed to develop 
new concepts. 

• Exercise Legend 

Challenging exercises are in ample supply and are marked with one star (*) indicating a 
difficult exercise and two stars (* *) indicating an extremely difficult exercise. There are 
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some exercises that contain results used later in the text; these are marked with a arrow 
symbol (>*). These exercises should be assigned by instructors whenever possible. 

• Exercise Answers 

The answers to all odd-numbered exercises are provided at the end of the text. More 
complete solutions to these exercises can be found in the Student’s Solutions Manual that 
can be found on the Web site for this book. All solutions have been carefully checked 
and rechecked to ensure accuracy. 

• Computational Exercises 

Each section includes computations and explorations designed to be done with a com- 
putational program, such as Maple, Mathematica, PARI/GP, or Sage, or using programs 
written by instructors and/or students. There are routine computational exercises students 
can do to leam how to apply basic commands (as described in Appendix D for Maple and 
Mathematica and on the Web site for PARI/GP and Sage), as well as more open-ended 
questions designed for experimentation and creativity. Each section also includes a set of 
programming projects designed to be done by students using a programming language 
or the computational program of their choice. The Student’s Manual to Computations 
and Explorations on the Web site provides answers, hints, and guidance that will help 
students use computational tools to attack these exercises. 


Web Site 

Students and instructors will find a comprehensive collection of resources on this 
book’s Web site. Students (as well as instructors) can find a wide range of resources at 
www.pearsonhighered.com/rosen. Resources intended for only instmctor use can be ac- 
cessed at www.pearsonhighered.com/irc; instructors can obtain their password for these 
resources from Pearson. 

• External Links 

The Web site for this book contains a guide providing annotated links to many Web sites 
relevant to number theory. These sites are keyed to the page in the book where relevant 
material is discussed. These locations are marked in the book with the icon Q. For 
convenience, a list of the most important Web sites related to number theory is provided 
in Appendix D. 

• Number Theory News 

The Web site also contains a section highlighting the latest discoveries in number theory. 

• Student’s Solutions Manual 

Worked-out solutions to all the odd-numbered exercises in the text and sample exams 
can be found in the online Student’s Solution Manual. 
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• Student’s Manual for Computations and Explorations 

A manual providing resources supporting the computations and explorations can be 
found on the Web site for this book. This manual provides worked-out solutions or partial 
solutions to many of these computational and exploratory exercises, as well as hints and 
guidance for attacking others. This manual will support, to varying degrees, different 
comptutional environments, including Maple, Mathematica, and PARI/GP. 

• Applets 

An extensive collection of applets are provided on the Web site. These applets can be used 
by students for some common computations in number theory and to help understand 
concepts and explore conjectures. Besides algorithms for comptutions in number theory, 
a collection of cryptographic applets is also provided. These include applets for encyrp- 
tion, decryption, cryptanalysis, and cryptographic protocols, adderssing both classical 
ciphers and the RS A cryptosystem. These cryptographic applets can be used for individ- 
ual, group, and classroom activities. 

• Suggested Projects 

A useful collection of suggested projects can also be found on the Web site for this book. 
These projects can serve as final projects for students and for groups of students. 

• Instructor’s Manual 

Worked solutions to all exercises in the text, including the even-numbered execises, 
and a variety of other resources can be found on the Web site for instructors (which 
is not available to students). Among these other resources are sample syllabi, advice on 
planning which sections to cover, and a test bank. 


How to Design a Course Using this Book 

This book can serve as the text for elementary number theory courses with many different 
slants and at many different levels. Consequently, instructors will have a great deal of 
flexibility designing their syllabi with this text. Most instructors will want to cover the 
core material in Chapter 1 (as needed), Section 2.1 (as needed), Chapter 3, Sections 
4. 1-4.3, Chapter 6, Sections 7. 1-7.3, and Sections 9. 1-9.2. 

To fill out their syllabi, instructors can add material on topics of interest. Generally, 
topics can be broadly classified as pure versus applied. Pure topics include Mobius 
inversion (Section 7.4), integer partitions (Section 7.5), primitive roots (Chapter 9), 
continued fractions (Chapter 12), diophantine equations (Chapter 13), and Guassian 
integers (Chapter 14). 

Some instructors will want to cover accessible applications such as divisibility tests, 
the perpetual calendar, and check digits (Chapter 5). Those instructors who want to stress 
computer applications and cryptography should cover Chapter 2 and Chapter 8. They 
may also want to include Sections 9.3 and 9.4, Chapter 10, and Section 11.5. 
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After deciding which topics to cover, instructors may wish to consult the following 
figure displaying the dependency of chapters: 


/K 

2 3 12 



Although Chapter 2 may be omitted if desired, it does explain the big-0 notation 
used throughout the text to describe the complexity of algorithms. Chapter 12 depends 
only on Chapter 1, as shown, except for Theorem 12.4, which depends on material 
from Chapter 9. Section 13.4 is the only part of Chapter 13 that depends on Chapter 
12. Chapter 11 can be studied without covering Chapter 9 if the optional comments 
involving primitive roots in Section 9.1 are omitted. Section 14.3 should also be covered 
in conjunction with Section 13.3. 

For further assistance, instructors can consult the suggested syllabi for courses with 
different emphases provided in the Instructor’s Resource Guide on the Web site. 
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What Is Number Theory? 


T here is a buzz about number theory: Thousands of people work on communal number 
theory problems over the Internet ... the solution of a famous problem in number 
theory is reported on the PBS television series NOVA . . . people study number theory 
to understand systems for making messages secret . . . What is this subject, and why are 
so many people interested in it today? 

Number theory is the branch of mathematics that studies the properties of, and the 
relationships between, particular types of numbers. Of the sets of numbers studied in 
number theory, the most important is the set of positive integers. More specifically, 
the primes, those positive integers with no positive proper factors other than 1, are 
of special importance. A key result of number theory shows that the primes are the 
multiplicative building blocks of the positive integers. This result, called the fundamental 
theorem of arithmetic, tells us that every positive integer can be uniquely written as 
the product of primes in nondecreasing order. Interest in prime numbers goes back 
at least 2500 years, to the studies of ancient Greek mathematicians. Perhaps the first 
question about primes that comes to mind is whether there are infinitely many. In The 
Elements, the ancient Greek mathematician Euclid provided a proof, that there are 
infinitely many primes. This proof is considered to be one of the most beautiful proofs 
in all of mathematics. Interest in primes was rekindled in the seventeenth and eighteenth 
centuries, when mathematicians such as Pierre de Fermat and Leonhard Euler proved 
many important results and conjectured approaches for generating primes. The study of 
primes progressed substantially in the nineteenth century; results included the infinitude 
of primes in arithmetic progressions, and sharp estimates for the number of primes not 
exceeding a positive number x. The last 100 years has seen the development of many 
powerful techniques for the study of primes, but even with these powerful techniques, 
many questions remain unresolved. An example of a notorious unsolved question is 
whether there are infinitely many twin primes, which are pairs of primes that differ by 2. 
New results will certainly follow in the coming decades, as researchers continue working 
on the many open questions involving primes. 

The development of modem number theory was made possible by the German 
mathematician Carl Friedrich Gauss, one of the greatest mathematicians in history, who 
in the early nineteenth century developed the language of congruences. We say that two 
integers a and b are congruent modulo m, where m is a positive integer, if m divides 
a — b. This language makes it easy to work with divisibility relationships in much the 
same way that we work with equations. Gauss developed many important concepts in 
number theory; for example, he proved one of its most subtle and beautiful results, the law 
of quadratic reciprocity. This law relates whether a prime p is a perfect square modulo 
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a second prime q to whether q is a perfect square modulo p. Gauss developed many 
different proofs of this law, some of which have led to whole new areas of number theory. 

Distinguishing primes from composite integers is a key problem of number theory. 
Work on this problem has produced an arsenal of primality tests. The simplest primality 
test is simply to check whether a positive integer is divisible by each prime not exceeding 
its square root. Unfortunately, this test is too inefficient to use for extremely large positive 
integers. Many different approaches have been used to determine whether an integer is 
prime. For example, in the nineteenth century, Pierre de Fermat showed that p divides 
IP — 2 whenever p is prime. Some mathematicians thought that the converse also was 
true (that is, that if n divides 2" — 2, then n must be prime). However, it is not; by the early 
nineteenth century, composite integers n, such as 341, were known for which n divides 
2" — 2. Such integers are called pseudoprimes. Though pseudoprimes exist, primality 
tests based on the fact that most composite integers are not pseudoprimes are now used 
to quickly find extremely large integers which are are extremely likely to be primes. 
However, they cannot be used to prove that an integer is prime. Finding an efficient 
method to prove that an integer is prime was an open question for hundreds of years. 
In a surprise to the mathematical community, this question was solved in 2002 by three 
Indian computer scientists, Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. Their 
algorithms can prove that an integer n is prime in polynomial time (in terms of the number 
of digits of n ). 

Factoring a positive integer into primes is another central problem in number theory. 
The factorization of a positive integer can be found using trial division, but this method 
is extremely time-consuming. Fermat, Euler, and many other mathematicians devised 
imaginative factorization algorithms, which have been extended in the past 30 years 
into a wide array of factoring methods. Using the best-known techniques, we can easily 
find primes with hundreds or even thousands of digits; factoring integers with the same 
number of digits, however, is beyond our most powerful computers. 

The dichotomy between the time required to find large integers which are almost 
certainly prime and the time required to factor large integers is the basis of an extremely 
important secrecy system, the RSA cryptosystem. The RSA system is a public key 
cryptosystem, a security system in which each person has a public key and an associated 
private key. Messages can be encrypted by anyone using another person’s public key, 
but these messages can be decrypted only by the owner of the private key. Concepts 
from number theory are essential to understanding the basic workings of the RSA 
cryptosystem, as well as many other parts of modem cryptography. The overwhelming 
importance of number theory in cryptography contradicts the earlier belief, held by many 
mathematicians, that number theory was unimportant for real-world applications. It is 
ironic that some famous mathematicians, such as G. H. Hardy, took pride in the notion 
that number theory would never be applied in the way that it is today. 

The search for integer solutions of equations is another important part of number 
theory. An equation with the added proviso that only integer solutions are sought is called 
diophantine, after the ancient Greek mathematician Diophantus. Many different types of 
diophantine equations have been studied, but the most famous is the Fermat equation 
x n + y n = z n . Fermat’s last theorem states that if n is an integer greater than 2, this 
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equation has no solutions in integers x, y, and z, where xyz 7^ 0. Fermat conjectured 
in the seventeenth century that this theorem was true, and mathematicians (and others) 
searched for proofs for more than three centuries, but it was not until 1995 that the first 
proof was given by Andrew Wiles. 

As Wiles’s proof shows, number theory is not a static subject! New discoveries 
continue steadily to be made, and researchers frequently establish significant theoretical 
results. The fantastic power available when today’s computers are linked over the Internet 
yields a rapid pace of new computational discoveries in number theory. Everyone can 
participate in this quest; for instance, you can join the quest for the new Mersenne primes, 
primes of the form 2 P - 1, where p itself is prime. In August 2008, the first prime with 
more than 10 million decimal digits was found: the Mersenne prime 2 43 ’ 112 ’ 609 — 1. This 
discovery qualified for a $100,000 prize from the Electronic Frontier Foundation. A 
concerted effort is under way to find a prime with more than 100 million digits, with a 
$150,000 prize offered. After learning about some of the topics covered in this text, you 
may decide to join the hunt yourself, putting your idle computing resources to good use. 

What is elementary number theory? You may wonder why the word “elementary” 
is part of the title of this book. This book considers only that part of number theory called 
elementary number theory, which is the part not dependent on advanced mathematics, 
such as the theory of complex variables, abstract algebra, or algebraic geometry. Students 
who plan to continue the study of mathematics will leam about more advanced areas of 
number theory, such as analytic number theory (which takes advantage of the theory 
of complex variables) and algebraic number theory (which uses concepts from abstract 
algebra to prove interesting results about algebraic number fields). 

Some words of advice. As you embark on your study, keep in mind that number 
theory is a classical subject with results dating back thousands of years, yet is also the 
most modem of subjects, with new discoveries being made at a rapid pace. It is pure 
mathematics with the greatest intellectual appeal, yet it is also applied mathematics, with 
crucial applications to cryptography and other aspects of computer science and electrical 
engineering. I hope that you find the many facets of number theory as captivating as 
aficionados who have preceded you, many of whom retained an interest in number theory 
long after their school days were over. 

Experimentation and exploration play a key role in the study of number theory. The 
results in this book were found by mathematicians who often examined large amounts of 
numerical evidence, looking for patterns and making conjectures. They worked diligently 
to prove their conjectures; some of these were proved and became theorems, others were 
rejected when counterexamples were found, and still others remain unresolved. As you 
study number theory, I recommend that you examine many examples, look for patterns, 
and formulate your own conjectures. You can examine small examples by hand, much as 
the founders of number theory did, but unlike these pioneers, you can also take advantage 
of today’s vast computing power and computational engines. Working through examples, 
either by hand or with the aid of computers, will help you to leam the subject — and you 
may even find some new results of your own! 
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The Integers 


I n the most general sense, number theory deals with the properties of different sets of 
numbers. In this chapter, we will discuss some particularly important sets of numbers, 
including the integers, the rational numbers, and the algebraic numbers. We will briefly 
introduce the notion of approximating real numbers by rational numbers. We will also 
introduce the concept of a sequence, and particular sequences of integers, including some 
figurate numbers studied in ancient Greece. A common problem is the identification of 
a particular integer sequence from its initial terms; we will briefly discuss how to attack 
such problems. 

Using the concept of a sequence, we will define countable sets and show that the set 
of rational numbers is countable. We will also introduce notations for sums and products, 
and establish some useful summation formulas. 

One of the most important proof techniques in number theory (and in much of 
mathematics) is mathematical induction. We will discuss the two forms of mathematical 
induction, illustrate how they can be used to prove various results, and explain why 
mathematical induction is a valid proof technique. 

Continuing, we will introduce the intriguing sequence of Fibonacci numbers, and 
describe the original problem from which they arose. We will establish some identities 
and inequalities involving the Fibonacci numbers, using mathematical induction for 
some of our proofs. 

The final section of this chapter deals with a fundamental notion in number theory, 
that of divisibility. We will establish some of the basic properties of division of integers, 
including the “division algorithm.” We will show how the quotient and remainder of a 
division of one integer by another can be expressed using values of the greatest integer 
function (we will describe a few of the many useful properties of this function, as well). 


1.1 Numbers and Sequences 

In this section, we introduce basic material that will be used throughout the text. In 
particular, we cover the important sets of numbers studied in number theory, the concept 
of integer sequences, and summations and products. 
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The Integers 


Numbers 

To begin, we will introduce several different types of numbers. The integers are the 
numbers in the set 


{...,-3, -2,-1, 0,1,2, 3,...}. 

The integers play center stage in the study of number theory. One property of the positive 
integers deserves special mention. 

The Well-Ordering Property Every nonempty set of positive integers has a least 
element. 

The well-ordering property may seem obvious, but it is the basic principle that allows 
us to prove many results about sets of integers, as we will see in Section 1.3. 

The well-ordering property can be taken as one of the axioms defining the set of 
positive integers or it may be derived from a set of axioms in which it is not included. 
(See Appendix A for axioms for the set of integers.) We say that the set of positive 
integers is well ordered. However, the set of all integers (positive, negative, and zero) 
is not well ordered, as there are sets of integers without a smallest element, such as the 
set of negative integers, the set of even integers less than 100, and the set of all integers 
itself. 

Another important class of numbers in the study of number theory is the set of 
numbers that can be written as a ratio of integers. 

Definition. The real number r is rational if there are integers p and q, with q ^ 0, 
such that r = p/q. If r is not rational, it is said to be irrational 

Example 1.1. The numbers -22/7, 0 = 0/1, 2/ 17, and 1 1 1 1/41 are rational numbers. 

◄ 

Note that every integer n is a rational number, because n = n/1. Examples of irrational 
numbers are y/2, i r, and e. We can use the well-ordering property of the set of positive 
integers to show that V2 is irrational. The proof that we provide, although quite clever, 
is not the simplest proof that is irrational. You may prefer the proof that we will give 
in Chapter 4, which depends on concepts developed in that chapter. (The proof that e is 
irrational is left as Exercise 44. We refer the reader to [HaWr08] for a proof that it is 
irrational. It is not easy.) 

Theorem 1.1. y/l is irrational. 

Proof. Suppose that were rational. Then there would exist positive integers a and b 
such that V2 =a/b. Consequently, the set S = {kV 2 \ k and k-Jl are positive integers} 
is a nonempty set of positive integers (it is nonempty because a = bV 2 is a member 
of S ). Therefore, by the well-ordering property, S has a smallest element, say, s = t\fl. 
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We have sV 2 - s = 2 - t\J 2 — (s — t)V2. Because sy/2 = 2t and s are both 

integers, syfl — s = sV2 — ty/2 = (s — t)V2 must also be an integer. Furthermore, it 
is positive, because s*J 2 — s = s(V 2 — 1) and a/ 2 > 1. It is less than s, because a/2 < 2 
so that \fl — 1 < 1. This contradicts the choice of s as the smallest positive integer in S. 
It follows that a/ 2 is irrational. ■ 

The sets of integers, positive integers, rational numbers, and real numbers are 
traditionally denoted by Z, Z + , Q, and R, respectively. Also, we write x e S to indicate 
that x belongs to the set S. Such notation will be used occasionally in this book. 

We briefly mention several other types of numbers here, though we do not return to 
them until Chapter 12. 

Definition. A number a is algebraic if it is the root of a polynomial with integer 
coefficients; that is, a is algebraic if there exist integers a 0 , a h ... , a n such that a n a n + 
a n _ iQr" -1 + • • • + a 0 = 0. The number a is called transcendental if it is not algebraic. 

Example 1.2. The irrational number \/2 is algebraic, because it is a root of the 
polynomial x 2 — 2. ◄ 

Note that every rational number is algebraic. This follows from the fact that the number 
a/b, where a and b are integers and b ^ 0, is the root of bx — a. In Chapter 12, 
we will give an example of a transcendental number. The numbers e and n are also 
transcendental, but the proofs of these facts (which can be found in [HaWr08] ) are beyond 
the scope of this book. 

The Greatest Integer Function 

In number theory, a special notation is used for the largest integer that is less than or 
equal to a particular real number. 

Definition. The greatest integer in a real number*, denoted by [*], is the largest integer 
less than or equal to x. That is, [*] is the integer satisfying 

[*]<*< [*] + 1 . 

Example 1.3. We have [5/2] = 2, [-5/2] = -3, [n] = 3, [-2] = -2, and [0] = 0. ◄ 

Remark. The greatest integer function is also known as the floor function. Instead of 
using the notation [*] for this function, computer scientists usually use the notation |x J . 
The ceiling function is a related function often used by computer scientists. The ceiling 
function of a real number *, denoted by [*] , is the smallest integer greater than or equal 
to x. For example, [5/2] = 3 and [-5/2] = -2. 

The greatest integer function arises in many contexts. Besides being important in 
number theory, as we will see throughout this book, it plays an important role in the 
analysis of algorithms, a branch of computer science. The following example establishes 
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a useful property of this function. Additional properties of the greatest integer function 
are found in the exercises at the end of this section and in [GrKnPa94], 

Example 1.4. Show that if n is an integer, then [x + n] = [x] + n whenever x is a 
real number. To show that this property holds, let [x] = m, so that m is an integer. This 
implies that m <x < m + 1. We can add n to this inequality to obtain m +n <x +n < 
m + n + 1. This shows that m + n = [x] + n is the greatest integer less than or equal to 
x + n. Hence, [x + ri] = [x] + n. ◄ 

Definition. The fractional part of a real number x, denoted by {x}, is the difference 
between x and the largest integer less than or equal to x, namely, [x]. That is, {x} = 
x - [x]. 


Because [x] < x < [x] + 1, it follows that 0 < {x} = x — [x] < 1 for every real 
number x. The greatest integer in x is also called the integral part of x because x = 
[x] + {x}. 

Example 1.5. We have {5/4} = 5/4 - [5/4] = 5/4 - 1 = 1/4 and {-2/3} = -2/3 - 
[—2/3] = —2/3 — (—1) = 1/3. ◄ 


Diophantine Approximation 

We know that the distance of a real number to the integer closest to it is at most 1/2. 
But can we show that one of the first k multiples of a real number must be much closer 
to an integer? An important part of number theory called diophantine approximation 
studies questions such as this. In particular, it concentrates on questions that involve 
the approximation of real numbers by rational numbers. (The adjective diophantine 
comes from the Greek mathematician Diophantus, whose biography can be found in 
Section 13.1.) 

Here we will show that among the first n multiples of a real number or, there must 
be at least one at a distance less than 1/ n from the integer nearest it. The proof will 
depend on the famous pigeonhole principle, introduced by the German mathematician 
Dirichlet. 1 Informally, this principle tells us if we have more objects than boxes, when 
these objects are placed in the boxes, at least two must end up in the same box. Although 
this seems like a particularly simple idea, it turns out to be extremely useful in number 
theory and combinatorics. We now state and prove this important fact, which is known 
as the pigeonhole principle, because if you have more pigeons than roosts, two pigeons 
must end up in the same roost. 

Theorem 1.2. The Pigeonhole Principle. If k + 1 or more objects are placed into k 
boxes, then at least one box contains two or more of the objects. 


1 Instead of calling Theorem 1.2 the pigeonhole principle, Dirichlet called it the Schubfachprinzip in German, 
which translates to the drawer principle in English. A biography of Dirichlet can be found in Section 3.1. 
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Proof. If none of the k boxes contains more than one object, then the total number of 
objects would be at most k. This contradiction shows that one of the boxes contains at 
least two or more of the objects. ■ 

We now state and prove the approximation theorem, which guarantees that one of 
the first n multiples of a real number must be within 1/n of an integer. The proof we 
give illustrates the utility of the pigeonhole principle. (See [Ro07] for more applications 
of the pigeonhole principle.) (Note that in the proof we make use of the absolute value 
function. Recall that \x\, the absolute value of x, equals x if x > 0 and — x if x < 0. Also 
recall that \x — y| gives the distance between x and y .) 

Theorem 1.3. Dirichlet’s Approximation Theorem. If a is a real number and n is a 
positive integer, then there exist integers a and b with 1 < a < n such that \aa — b \ < 1/n . 

Proof. Consider the n + 1 numbers 0, {a}, {2a}, . . . , {na}. These n + 1 numbers 
are the fractional parts of the numbers ja, j = 0, 1, . . . , n, so that 0 < [ja] < 1 for 
j = 0, 1, . . . , n. Each of these n + 1 numbers lies in one of the n disjoint intervals 
0 < x < 1/n, 1/n < x < 2/n, . . . , (j — l)/n < x < j/n, . . . , (n - l)/n < x < 1. Be- 
cause there are n + 1 numbers under consideration, but only n intervals, the pigeonhole 
principle tells us that at least two of these numbers lie in the same interval. Because each 
of these intervals has length 1/n and does not include its right endpoint, we know that 
the distance between two numbers that lie in the same interval is less than 1/n. It follows 
that there exist integers j and k with 0 < j < k < n such that |{&a} — {ja} \ < 1/n. We 
will now show that when a = k — j, the product aa is within 1/n of an integer, namely, 
the integer b = [ka] — [ja]. To see this, note that 

\aa -b\ = \(k- j)a - ([ka] - [ja]) \ 

= I (ka - [ka]) - (ja - [;a])| 

= KM - {ja } I < 1 In. 

Furthermore, note that because 0 < j < k < n, we have 1 <a = k — j <n. Conse- 
quently, we have found integers a and b with 1 < a < n and \aa — b\ < 1/n, as desired. 


Example 1.6. Suppose that a = V2 and n = 6. We find that 1 • y/l « 1.414, 2 • V2 
2.828, 3 • V2 « 4.243, 4 • V2 sb 5.657, 5 • V2 7.071, and 6 • V2 sa 8.485. Among these 
numbers 5 • \[2 has the smallest fractional part. We see that |5 • \[2 — 7| ~ 1 7.071 — 7| = 
0.071 < 1/6. It follows that when a = V2 and n = 6, we can take a = 5 and b = 7 to 
make | aa — b\< 1/n. ◄ 

Our proof of Theorem 1.3 follows Dirichlet’s original 1834 proof. Proving a stronger 
version of Theorem 1.3 with l/(n + 1) replacing 1/n in the approximation is not diffi- 
cult (see Exercise 32). Furthermore, in Exercise 34 we show how to use the Dirichlet 
approximation theorem to show that, given an irrational number a, there are infinitely 
many different rational numbers p/q such that \a — p/q\ < l/q 2 , an important result in 
the theory of diophantine approximation. We will return to this topic in Chapter 12. 
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Sequences 

A sequence {a n } is a list of numbers a h a 2 , a 3 , . . . . We will consider many particular 
integer sequences in our study of number theory. We introduce several useful sequences 
in the following examples. 

Example 1.7. The sequence {a n }, where a n = n 2 , begins with the terms 1, 4, 9, 16, 25, 
36, 49, 64, ... . This is the sequence of the squares of integers. The sequence { b n }, where 

b n = 2", begins with the terms 2, 4, 8, 16, 32, 64, 128, 256, This is the sequence of 

powers of 2. The sequence {c n }, where c n = 0 if n is odd and c n = 1 if n is even, begins 
with the terms 0, 1, 0, 1, 0, 1, 0, 1, ◄ 

There are many sequences in which each successive term is obtained from the 
previous term by multiplying by a common factor. For example, each term in the 
sequence of powers of 2 is 2 times the previous term. This leads to the following 
definition. 

Definition. A geometric progression is a sequence of the form a, ar, ar 2 , ar 3 , . . . , 
ar k , . . . , where a, the initial term, and r, the common ratio, are real numbers. 

Example 1.8. The sequence {a n }, where a n = 3 • 5 n , n = 0, 1, 2, . . ., is a geometric 
sequence with initial term 3 and common ratio 5. (Note that we have started the sequence 
with the term a 0 . We can start the index of the terms of a sequence with 0 or any other 
integer that we choose.) ◄ 

A common problem in number theory is finding a formula or rule for constructing 
the terms of a sequence, even when only a few terms are known (such as trying to find 
a formula for the nth triangular number 1 + 2 + 3 + - — |- n). Even though the initial 
terms of a sequence do not determine the sequence, knowing the first few terms can lead 
to a conjecture for a formula or rule for the terms. Consider the following examples. 

Example 1.9. Conjecture a formula for a n , where the first eight terms of {a n } are 
4, 11, 18, 25, 32, 39, 46, 53. We note that each term, starting with the second, is obtained 
by adding 7 to the previous term. Consequently, the nth term could be the initial term 
plus 7(n — 1). A reasonable conjecture is that a n = 4 + 7 (n — 1) = 7n — 3. ◄ 

The sequence proposed in Example 1.9 is an arithmetic progression, that is, a 
sequence of the form a, a + d, a + 2d, . . . , a + nd, .... The particular sequence in 
Example 1 .9 has a = 4 and d = 7. 

Example 1.10. Conjecture a formula for a n , where the first eight terms of the sequence 
{a n } are 5, 11, 29, 83, 245, 731, 2189, 6563. We note that each term is approximately 3 
times the previous term, suggesting a formula for a n in terms of 3". The integers 3" for 
n = 1, 2, 3, . . . are 3, 9, 27, 81, 243, 729, 2187, 6561. Looking at these two sequences 
together, we find that the formula a n = 3" + 2 produces these terms. ◄ 
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Example 1.11. Conjecture a formula for a n , where the first ten terms of the sequence 
{a n } are 1, 1, 2, 3, 5, 8, 13, 21, 34, 55. After examining this sequence from different 
perspectives, we notice that each term of this sequence, after the first two terms, is the 
sum of the two preceding terms. That is, we see that a n = a n _i + a n2 for 3 < n < 10. 
This is an example of a recursive definition of a sequence, discussed in Section 1.3. The 
terms listed in this example are the initial terms of the Fibonacci sequence, which is 
discussed in Section 1.4. ◄ 

Integer sequences arise in many contexts in number theory. Among the sequences 
we will study are the Fibonacci numbers, the prime numbers (covered in Chapter 3), and 
the perfect numbers (introduced in Section 7.3). Integer sequences appear in an amazing 
range of subjects besides number theory. Neil Sloane has amassed a fantastically diverse 
collection of more than 170,000 integer sequences (as of early 2010) in his On-Line 
Encyclopedia of Integer Sequences. This collection is available on the Web. (Note that 
in early 2010, the OEIS Foundation took over maintenance of this collection.) (The 
book [S1P195] is an earlier printed version containing only a small percentage of the 
current contents of the encyclopdia.) This site provides a program for finding sequences 
that match initial terms provided as input. You may find this a valuable resource as you 
continue your study of number theory (as well as other subjects). 

We now define what it means for a set to be countable, and show that a set is countable 
if and only if its elements can be listed as the terms of a sequence. 

Definition. A set is countable if it is finite or it is infinite and there exists a one-to- 
one correspondence between the set of positive integers and the set. A set that is not 
countable is called uncountable. 

An infinite set is countable if and only if its elements can be listed as the terms of a 
sequence indexed by the set of positive integers. To see this, simply note that a one-to- 
one correspondence / from the set of positive integers to a set S is exactly the same as 
a listing of the elements of the set in a sequence a h a 2 , . ■ ■ , a n , . . . , where a, =/(/). 

Example 1.12. The set of integers is countable, because the integers can be listed 
starting with 0, followed by 1 and — 1, followed by 2 and —2, and so on. This produces 
the sequence 0, 1, —1, 2, —2, 3, —3, . . . , where a\ — 0, a 2n = n, and a 2n+ i = —n for 
n = 1 , 2 , ... . ◄ 

Is the set of rational numbers countable? At first glance, it may seem unlikely that 
there would be a one-to-one correspondence between the set of positive integers and the 
set of all rational numbers. However, there is such a correspondence, as the following 
theorem shows. 

Theorem 1.4. The set of rational numbers is countable. 

Proof. We can list the rational numbers as the terms of a sequence, as follows. First, we 
arrange all the rational numbers in a two-dimensional array, as shown in Figure 1.1. We 
put all fractions with a denominator of 1 in the first row. We arrange these by placing the 
fraction with a particular numerator in the position this numerator occupies in the list of 
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all integers given in Example 1.12. Next, we list all fractions on successive diagonals, 
following the order shown in Figure 1.1. Finally, we delete from the list all fractions that 
represent rational numbers that have already been listed. (For example, we do not list 
2/2, because we have already listed 1/1.) 




0 1-1 
1 


//■//' 

0/ \f -l' 2* -2 

VW 2 2 

o/ j_ x ^ 

yy 3 

x i A -i 


0_ 

4 4 


2_ -2 
4 4 4 



Figure 1.1 Listing the rational numbers. 

The initial terms of the sequence are 0/1 = 0, 1/1 = 1, -1/1 = -1, 1/2, 1/3, -1/2, 
2/1 = 2, -2/ 1 = -2, - 1/3, 1/4, and so on.) We leave it to the reader to fill in the details, 
to see that this procedure lists all rational numbers as the terms of a sequence. ■ 

We have shown that the set of rational numbers is countable, but we have not given an 
example of an uncountable set. Such an example is provided by the set of real numbers, 
as shown in Exercise 45. 


1.1 Exercises 

1. Determine whether each of the following sets is well ordered. Either give a proof using the 
well-ordering property of the set of positive integers, or give an example of a subset of the 
set that has no smallest element. 

a) the set of integers greater than 3 

b) the set of even positive integers 

c) the set of positive rational numbers 

d) the set of positive rational numbers that can be written in the form a/2, where a is a 
positive integer 

e) the set of nonnegative rational numbers 

>- 2. Show that if a and b are positive integers, then there is a smallest positive integer of the form 

a - bk, k e Z. 

3. Prove that both the sum and the product of two rational numbers are rational. 

4. Prove or disprove each of the following statements. 

a) The sum of a rational and an irrational number is irrational. 

b) The sum of two irrational numbers is irrational. 
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c) The product of a rational number and an irrational number is irrational. 

d) The product of two irrational numbers is irrational. 

* 5. Use the well-ordering property to show that a/ 3 is irrational. 

6. Show that every nonempty set of negative integers has a greatest element. 

7. Find the following values of the greatest integer function. 

a) [1/4] c) [22/7] e) [[1/2] + [1/2]] 

b) [—3/4] d) [—2] f) [—3 + [—1/2]] 

8. Find the following values of the greatest integer function. 

a) [-1/4] c) [5/4] e) [[3/2] +[-3/2]] 

b) [—22/7] d) [[1/2]] f) [3 - [1/2]] 

9. Find the fractional part of each of these numbers: 

a) 8/5 b) 1/7 c) —11/4 d) 7 

10. Find the fractional part of each of these numbers: 

a) -8/5 b) 22/7 c)-l d) -1/3 

11. What is the value of [jc] + [ — jc] where jc is a real number? 

12. Show that [jc] + [jc + 1/2] = [2jc] whenever jc is a real number. 

13. Show that [jc + y] > [jc] + [y] for all real numbers jc and y. 

14. Show that [2jc] + \2y\ > [jc] + [y] + [jc + y] whenever jc and y are real numbers. 

15. Show that if jc and y are positive real numbers, then [jcy] > [x][y]. What is the situation when 
both jc and y are negative? When one of jc and y is negative and the other positive? 

16. Show that - [-jc] is the least integer greater than or equal to jc when jc is a real number. 

17. Show that [jc + 1/2] is the integer nearest to jc (when there are two integers equidistant from 
jc, it is the larger of the two). 

18. Show that if m and n are integers, then [(jc + n)/m ] = [([jc] + ri)/m ] whenever jc is a real 
number. 

* 19. Show that [vT+0 = [V*] whenever jc is a nonnegative real number. 

* 20. Show that if m is a positive integer, then 

[mx] = [jc] + [jc + (1/m)] + [jc + (2/m)] -| h [jc + (m - l)/m] 

whenever jc is a real number. 

21. Conjecture a formula for the nth term of {a n } if the first ten terms of this sequence are as 
follows. 

a) 3, 11, 19, 27, 35, 43, 51, 59, 67, 75 c) 1, 0, 0, 1, 0, 0, 0, 0, 1, 0 

b) 5, 7, 11, 19, 35, 67, 131, 259, 515, 1027 d) 1, 3, 4, 7, 11, 18, 29, 47, 76, 123 

22. Conjecture a formula for the nth term of {«„} if the first ten terms of this sequence are as 
follows. 

a) 2, 6, 18, 54, 162, 486, 1458, 4374, 13122, 39366 

b) 1, 1, 0, 1, 1, 0, 1, 1, 0, 1 
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c) 1, 2, 3, 5, 7, 10, 13, 17, 21, 26 

d) 3, 5, 11, 21, 43, 85, 171, 341, 683, 1365 

23 . Find three different formulas or rules for the terms of a sequence {a n } if the first three terms 
of this sequence are 1, 2, 4. 

24 . Find three different formulas or rules for the terms of a sequence {a n } if the first three terms 
of this sequence are 2, 3, 6. 

25 . Show that the set of all integers greater than — 100 is countable. 

26 . Show that the set of all rational numbers of the form n/5, where n is an integer, is countable. 

27 . Show that the set of all numbers of the form a + b-Jl, where a and b are integers, is countable. 

* 28. Show that the union of two countable sets is countable. 

* 29. Show that the union of a countable number of countable sets is countable. 

30 . Using a computational aid, if needed, find integers a and b such that 1 < a < 8 and \aa —b\ < 
1/8, where a has these values: 

a) y/2 b) v^2 c) it d) e 

31 . Using a computational aid, if needed, find integers a and b such that 1 < a < 10 and | aa — 

b\ < 1/10, where a has these values: 

a) -v/3 b) v^3 c) 7 r 2 d) e 3 

32. Prove the following stronger version of Dirichlet’s approximation. If a is a real number 

and n is a positive integer, there are integers a and b such that 1 < a < n and \aa - b\ < 
l/(n + 1). (Hint: Consider the n + 2 numbers 0, . . . , {ja}, . . . , 1 and the n + 1 intervals 
(k - 1 )/(n + 1) < x < k/(n + 1) for k = 1, . . . , n + 1.) 

33 . Show that if a is a real number and n is a positive integer, then there is an integer k such that 
\a — n/k\ < 1/2 k. 

34 . Use Dirichlet’s approximation theorem to show that if a is an irrational number, then there are 
infinitely many positive integers q for which there is an integer p such that |a - p/q \ < \/q 2 . 

35 . Find four rational numbers p/q with \\[2 — p/q\ < 1 /q 2 . 

36 . Find five rational numbers p/q with Iv^ — p/q\ < \/q 2 . 

37 . Show that if a = a/b is a rational number, then there are only finitely many rational numbers 
p/q such that | p/q - a/b\ < l/q 2 . 

The spectrum sequence of a real number a is the sequence that has [not] as its nth term. 

38 . Find the first ten terms of the spectrum sequence of each of the following numbers. 

a) 2 h)V2 c)2 + V2 d) e e)(l + V5)/2 

39 . Find the first ten terms of the spectrum sequence of each of the following numbers, 

a) 3 b) \/3 c)(3 + V3)/2 d) n 

40 . Prove that if a /3, then the spectrum sequence of a is different from the spectrum sequence 
of p. 

* * 41 . Show that every positive integer occurs exactly once in the spectrum sequence of a or in 
the spectrum sequence of ft if and only if a and ft are positive irrational numbers such that 
1/ct + \/P = 1. 
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The Ulam numbers u n , n = 1, 2, 3, . . . are defined as follows. We specify that wj = 1 and u 2 = 2. 
For each successive integer m, m > 2, this integer is an Ulam number if and only if it can be written 
uniquely as the sum of two distinct Ulam numbers. These numbers are named for Stanislaw Ulam, 
who first described them in 1964. 


42. Find the first ten Ulam numbers. 

* 43. Show that there are infinitely many Ulam numbers. 

* 44. Prove that e is irrational. {Hint: Use the fact that e = 1 + 1/1 ! + 1/2! + 1/3! + •••.) 

* 45. Show that the set of real numbers is uncountable. {Hint: Suppose it is possible to list the real 

numbers between 0 and 1. Show that the number whose ith decimal digit is 4 when the ith 
decimal digit of the i th real number in the list is 5 and is 5 otherwise is not on the list.) 


Computations and Explorations 

1. Find 10 rational numbers p/q such that \n — p/q\ < l/q 2 - 

2. Find 20 rational numbers p/q such that \e — p/q\ < 1/q 2 . 

3. Find as many terms as you can of the spectrum sequence of ^2. (See the preamble to 
Exercise 38 for the definition of spectrum.) 


STANISLAW M. ULAM (1901M984) was bon, in Lvov, Poland. He became 
interested in astronomy and physics at age 12, after receiving a telescope from 
his uncle. He decided to learn the mathematics required to understand relativity 
theory, and at the age of 14 he used textbooks to learn calculus and other 
mathematics. 

Ulam received his Ph.D. from the Polytechnic Institute in Lvov in 1933, 
completing his degree under the mathematician Banach, in the area of real 
analysis. In 1935, he was invited to spend several months at the Institute for 
Advanced Study; in 1936, he joined Harvard University as a member of the Society of Fellows, 
remaining in this position until 1940. During these years he returned each summer to Poland where 
he spent ti m e in cafes, such as the Scottish Cafe, intensely doing mathematics with his fellow Polish 



Luckily for Ulam, he left Poland in 1939, just one month before the outbreak of World War 
n. In 1940, he was appointed to a position as an assistant professor at the University of Wisconsin, 
and in 1943, he was enlisted to work in Los Alamos on the development of the first atomic bomb, 
as part of the Manhattan Project. Ulam mad e several key contributions that led to the creation of 
thermonuclear bombs. At Los Alamos, Ulam also developed the Monte Carlo method, which uses a 
sampling technique with random numbers to find solutions of mathematical problems. 

(Jlam remained at Los Alamos after the war until 1965. He served on the faculties of the 
University of Southern California, the University of Colorado, and the University of Florida. Ulam 
bad a fabulous memory and was an extremely verbal person. His mind was a repository of stories, 
jokes, puzzles, quotations, formulas, problems, and many other types of information. He wrote several 
books, including Sets, Numbers, and Universes and Adventures of a Mathematician. He was interested 
in and contributed to many areas of mathematics, including number theory, real analysis, probability 
theory, and mathematical biology. 
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4 . Find as many terms as you can of the spectrum sequence of it . (See the preamble to Exercise 3 8 
for the definition of spectrum.) 

5. Find the first 1000 Ulam numbers. 

6. How many pairs of consecutive integers can you find where both are Ulam numbers? 

7. Can the sum of any two consecutive Ulam numbers, other than 1 and 2, be another Ulam 
number? If so, how many examples can you find? 

8. How large are the gaps between consecutive Ulam numbers? Do you think that these gaps 
can be arbitrarily long? 

9. What conjectures can you make about the number of Ulam numbers less than an integer nl 
Do your computations support these conjectures? 

Programming Projects 

1. Given a number a, find rational numbers p/q such that \a — p/q \ < l/q 2 . 

2. Given a number a, find its spectrum sequence. 

3. Find the first n Ulam numbers, where n is a positive integer. 


1.2 Sums and Products 

Because summations and products arise so often in the study of number theory, we now 
introduce notation for summations and products. The following notation represents the 
sum of the numbers a 1; a 2 , . . . , a n \ 

^ a k = a l + a 2 H 1 - a n- 

k= l 

The letter k, the index of summation, is a “dummy variable” and can be replaced by any 
letter. For instance, 

y, ah = a j = y, a i> an d so forth. 

k= 1 7=1 i=l 

Example 1.13. We see that £* =1 j = 1 + 2 + 3 + 4 + 5=15, 1 2 = 2 + 2 + 2 + 

2 + 2 = 10, and E - = 1 2 -> = 2 + 2 2 + 2 3 + 2 4 + 2 5 = 62 . 

We also note that, in summation notation, the index of summation may range 
between any two integers, as long as the lower limit does not exceed the upper limit. 
If m and n are integers such that m <n, then Ylk=m a k ~ a m + a m+\ + •••+«„• For 
instance, we have 3 k 2 = 3 2 + 4 2 + 5 2 = 50, 3* = 3° + 3 1 + 3 2 = 13, and 

EL -2 k 3 = (~ 2 ) 3 + (- 1 ) 3 + 0 3 + l 3 = - 8 . ◄ 
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We will often need to consider sums in which the index of summation ranges over 
all those integers that possess a particular property. We can use summation notation to 
specify the particular property or properties the index must have for a term with that index 
to be included in the sum. This use of notation is illustrated in the following example. 


Example 1.14. We see that 


X V0‘ + 1 ) = 1/ 1 + 1/2 + 1/5 + 1/ 10 = 9 / 5 , 

y '<10 

j€[n 2 \neZ) 


because the terms in the sum are all those for which j is an integer not exceeding 10 that 
is a perfect square. ◄ 


The following three properties for summations are often useful. We leave their proofs 


to the reader. 



( 1 . 1 ) 

Y, ca i =c Y. a ) 

j=m j=m 


( 1 . 2 ) 

+ bj ) =J2 a i + fl b J 

j=m j=m j=m 


( 1 . 3 ) 

£i>,-(x>)(x>, 

)=EX>; 

/ j=p i=m 


Next, we develop several useful summation formulas. We often need to evaluate 
sums of consecutive terms of a geometric series. The following example shows how a 
formula for such sums can be derived. 


Example 1.15. To evaluate 


S = ±ar>, 

7=0 

the sum of the first n + 1 terms of the geometric series a, ar , ... , ar k , . . . , we multiply 
both sides by r and manipulate the resulting sum to find: 
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rS = rJ2 arj 

j = 0 

= X >' +1 

j=0 

n + 1 

= ^ ar k ( shifting the index of summation, taking k = j + 1) 

k=i 

= ar k + ( ar n+1 — a) ( removing the term with k = n + 1 

zt=o from the set and adding the term with k = 0) 

= 5 + (ar” +1 — a). 

It follows that 


rS - S = (ar n+1 - a). 
Solving for S shows that when r 1, 


r - 1 

Note that when r = 1, we have 5Z” =0 a.r* = 5Z”=o a = (n + l)a. ◄ 

Example 1.16. Taking a = 3, r = —5, and n = 6 in the formula found in Example 1.15, 

we see that 3(-5)' = = 39,063. ◄ 

The following example shows that the sum of the first n consecutive powers of 2 is 
1 less than the next power of 2. 

Example 1.17. Let n be a positive integer. To find the sum 

J2 2 k = 1 + 2 + 2 2 + • • • + 2 ", 

*=o 

we use Example 1.15, with a = 1 and r = 2, to obtain 

2 n+1 _ 1 

j _l_ 2 _j— 2^ -t- - - - -j— 2” — — 2 W+1 i 

2-1 ◄ 

A summation of the form Y?j=i( a j — a j- i)> where a 0 , a h a 2 , ... ,a n is a sequence 

of numbers, is said to be telescoping. Telescoping sums are easily evaluated because 

^2 a j - a j-i = “ a 0 ) + («2 - a l) H + ( a n - a n- 1) 

7=1 

= a n — a 0- 
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The ancient Greeks were interested in sequences of numbers that can be represented 
by regular arrangements of equally spaced points. The following example illustrates one 
such sequence of numbers. 

Example 1.18. The triangular numbers t h t 2 , t 2 , ..., t k , ... is the sequence where t k 
is the number of dots in the triangular array of k rows with j dots in the y'th row. ◄ 

Figure 1.2 illustrates that t k counts the dots in successively larger regular triangles 
for k = 1, 2, 3, 4, and 5. 


13 6 10 15 

Figure 1.2 The Triangular Numbers. 

Next, we will determine an explicit formula for the nth triangular number t n . 

Example 1.19. How can we find a formula for the nth triangular number? One approach 
is to use the identity ( k + l) 2 — k 2 = 2k + 1. When we isolate the factor k, we find 
that k = ((k + l) 2 — k 2 )/ 2 — 1/2. When we sum this expression for k over the values 
k = 1 , 2, . . . , n, we obtain 

n 

<.-E* 

k= 1 

= (£((* + l) 2 - k 2 )/l\ - V2 (- replacing k with (((k + l) 2 - k 2 )/ 2) - 1/2) 

\fc=i ' *=i 

= ((n + l) 2 /2 — 1/2) — n/2 {simplifying a telescoping sum) 

= in 2 + In) 12 - nil 
= (n 2 + n)/2 
= n(n + l)/2. 

The second equality here follows by the formula for the sum of a telescoping series with 
a k = (k + l) 2 — k 2 . We conclude that the nth triangular number t n = n(n + l)/2. (See 
Exercise 7 for another way to find t n .) ◄ 

We also define a notation for products, analogous to that for summations. The 
product of the numbers a h a 2 , ..., a n is denoted by 

n a i = °i a 2 •••««• 

7=1 
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The letter j above is a “dummy variable,” and can be replaced arbitrarily. 

Example 1.20. To illustrate the notation for products, we have 
5 

Y\ j = 1-2-3 -4-5 = 120, 

7=1 

5 

Y[ 2 = 2 ■ 2 • 2 ■ 2 • 2 = 2 5 = 32, and 

7=1 

fl ^ = 2 ' 2 2 • 2 3 • 2 4 • 2 5 = 2 15 . 

;=i •* 

The factorial function arises throughout number theory. 

Definition. Let n be a positive integer. Then n ! (read as “n factorial”) is the product of 
the integers 1, 2 , ,n. We also specify that 0! = 1. In terms of product notation, we 

have n! = n"=i J- 

Example 1.21. We have 1 ! = 1, 4! = 1 • 2 • 3 • 4 = 24, and 12! =1 • 2 • 3 • 4 • 5 • 6 • 7 • 
8 - 9 - 10 - 1 1 - 12 = 479,001,600. ◄ 


1.2 Exercises 


* 


1. Find each of the following sums. 

a)Ey,i7 2 b)Ej,,(-3) 

2. Find each of the following sums. 

a)Ej=o 3 b)E‘,„0'-3) 

3. Find each of the following sums. 

a)£* =1 2' - b)E-=i5(-3 ) ; ‘ 

4. Find each of the following sums. 

a) Ejio 8 ' 3 ' b ) £]= 0 (-2) 7+1 


c) T.U I/O' + 1) 
c) £ - =0 O + D/O + 2) 
c ) £* =1 3 (— 1 / 2) 7 
C ) £y= 0 (V3) ; 


5. Find and prove a formula for ££ =1 [VL| in terms of n and [y/n], (Hint: Use the formula 
£Li k 2 = t(t + l)(2t + \)/6.) 

6. By putting together two triangular arrays, one with n rows and one with n - 1 rows, to form 
a square (as illustrated for n — 4), show that t n _ l + t n — n 2 , where t n is the nth triangular 
number. 
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7. By putting together two triangular arrays, each with n rows, to form a rectangular array of 
dots of size n by n + 1 (as illustrated for n = 4), show that 2 t n = n (n + 1) . From this, conclude 
that t n = n(n + l)/2. 



8. Show that 3 t n + t n _ x = t 2n , where t n is the nth triangular number. 

9. Show that t% +l — t% = (n + l) 3 , where f„ is the nth triangular number. 

The pentagonal numbers p h P 2 > P3> • • • . p*, . . . , are the integers that count the number of dots 
in k nested pentagons, as shown in the following figure. 



1 5 12 22 


>- 10. Show that p x — 1 and p k = p k _ x + (3k — 2) for k>2. Conclude that p n = J2k=i — 2) and 
evaluate this sum to find a simple formula for p n . 

11. Prove that the sum of the (n — 1) st triangular number and the nth square number is the nth 
pentagonal number. 

12. a) Define the hexagonal numbers h n forn — 1, 2, ... in a manner analogous to the definitions 

of triangular, square, and pentagonal numbers. (Recall that a hexagon is a six-sided 
polygon.) 

b) Find a closed formula for hexagonal numbers. 

13. a) Define the heptagonal numbers in a manner analogous to the definitions of triangular, 

square, and pentagonal numbers. (Recall that a heptagon is a seven-sided polygon.) 
b) Find a closed formula for heptagonal numbers. 

14. Show that h n = t 2n -\ for all positive integers n where h n is the nth hexagonal number, defined 
in Exercise 12, and t 2n _i is the (In — l)st triangular number. 

15. Show that p n = tj sn _]/3 where p n is the nth pentagonal number and t 3n _i is the (3n — 1) st 
triangular number. 


The tetrahedral numbers T h T 2 , T 3 , . . . , T k are the integers that count the number of dots 

on the faces of k nested tetrahedra, as shown in the following figure. 
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16 . Show that the nth tetrahedral number is the sum of the first n triangular numbers. 

17 . Find and prove a closed formula for the nth tetrahedral number. 

18 . Find n! for n equal to each of the first ten positive integers. 

19 . List the integers 100!, lOO 100 , 2 100 , and (50!) 2 in order of increasing size. Justify your answer. 

20 . Express each of the following products in terms of f "[” =1 a u where k is a constant. 

a) n"=i ka i b) n" =1 iai c) n" = i <*? 

21 . Use the identity ^ = I - ^ to evaluate EL, W+T)- 

22. Use the identity = i ^_i_ _ to evaluate EL 2 pry- 

23 . Find a formula for ELi ^ using a technique analogous to that in Example 1.21 and the 
formula found there. 

24 . Find a formula for ELi ^ us hig a technique analogous to that in Example 1.19, and the 
results of that example and Exercise 21. 

25. Without multiplying all the terms, verify these equalities. 

a) 10! = 6! 7! b) 10! = 7! 5! 3! c) 16! = 14! 5! 2! d) 9! = 7! 3! 3! 2! 

26 . Let a h a 2 , ... ,a„ be positive integers. Let b = (a\ ! a 2 ! . . .a„!) — 1, and c = a t ! a 2 ! . . . a n l 
Show that cl = a 1 la 2 l - ■■ a n \b\. 

27 . Find all positive integers x, y, and z such that jc! + y! = z\. 

28 . Find the values of the following products. 

a)rrua-i/;) wn^a-v; 2 ) 

Computations and Explorations 

1. What are the largest values of n for which n! has fewer than 100 decimal digits, fewer than 
1000 decimal digits, and fewer than 10,000 decimal digits? 

2. Find as many triangular numbers that are perfect squares as you can. (We will study this 
question in the Exercises in Section 13.4.) 

3 . Find as many tetrahedral numbers that are perfect squares as you can. 

Programming Projects 

1. Given the terms of a sequence a h a 2 , , a n , compute E”=i a j anc * n”=i a J' 

2. Given the terms of a geometric progression, find the sum of its terms. 
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3. Given a positive integer n , find the nth triangular number, the nth perfect square, the nth 
pentagonal number, and the nth tetrahedral number. 


1.3 Mathematical Induction 

By examining the sums of the first n odd positive integers for small values of n, we can 
conjecture a formula for this sum. We have 

1 = 1 , 

1 + 3 = 4, 

1 + 3 + 5 = 9, 

1 + 3 + 5+7=16, 

1 + 3 + 5 + 7 + 9 = 25, 

1 + 3 + 5 + 7 + 9+11 = 36. 

From these values, we conjecture that £” =1 (2 j — l) = l+ 3 + 5 + 7H |- 2n — 1 = 

n 2 for every positive integer n. 

How can we prove that this formula holds for all positive integers n? 

The principle of mathematical induction is a valuable tool for proving results 
about the integers — such as the formula just conjectured for the sum of the first n odd 
positive integers. First, we will state this principle, and then we will show how it is 
used. Subsequently, we will use the well-ordering principle to show that mathematical 
induction is a valid proof technique. We will use the principle of mathematical induction, 
and the well-ordering property, many limes in our study of number theory. 

We must accomplish two things to prove by mathematical induction that a particular 
statement holds for every positive integer. Letting S be the set of positive integers for 
which we claim the statement to be true, we must show that 1 belongs to 5; that is, that 
the statement is true for the integer 1. This is called the basis step . 

Second, we must show, for each positive integer n, that n + 1 belongs to S if n does; 
that is, that the statement is true for n + 1 if it is true for n . This is called the inductive step. 
Once these two steps are completed, we can conclude by the principle of mathematical 
induction that the statement is true for all positive integers. 

Theorem 1.5. The Principle of Mathematical Induction. A set of positive integers 
that contains the integer 1 , and that has the property that, if it contains the integer k, then 
it also contains k + 1, must be the set of all positive integers. 

We illustrate the use of mathematical induction by several examples; first, we prove 
the conjecture made at the start of this section. 
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Example 1.22. We will use mathematical induction to show that 

J2(2j - 1) = 1 + 3+ • • • + (2n - 1) = n 2 
j = i 

for every positive integer n. (By the way, if our conjecture for the value of this sum was 
incorrect, mathematical induction would fail to produce a proof!) 

We begin with the basis step, which follows because 
l 

£(2;-l) = 2-l-l=l=l 2 . 
j-1 

For the inductive step, we assume the inductive hypothesis that the formula holds 
for n; that is, we assume that £* =1 (2j - 1) = n 2 . Using the inductive hypothesis, we 
have 

n+l n 

y^(2j — 1) = y^(2j — 1) + (2(n + 1) — 1) ( splitting off the term with j = n + 1) 

j = i J = i 

= n 2 + 2(n + 1) — 1 (using the inductive hypothesis) 

= n 2 + 2n + 1 

= (n + l) 2 . 

Because both the basis and the inductive steps have been completed, we know that the 
result holds. ◄ 

Next, we prove an inequality via mathematical induction. 


Example 1.23. We can show by mathematical induction that n\<n n for every positive 
integer n. The basis step, namely, the case where n = 1, holds because 1 ! = 1 < l 1 = 1. 
Now, assume that n! < n n \ this is the inductive hypothesis. To complete the proof, we 
must show, under the assumption that the inductive hypothesis is true, that (n + 1) ! < 
(n + 1) B+1 . Using the inductive hypothesis, we have 


G 


The Origin of Mathematical Induction 

The first known use of mathematical induction appears in the work of the sixteenth-century 
mathematician Francesco Maurolico (1494-1575). In his book Arithmeticorum Libri Duo, 
Maurolico presented various properties of the integers, together with proofs. He devised the 
method of mathematical induction so that he could complete some of the proofs. The first 
use of mathematical induction in his book was in the proof that the sum of the first n odd 
positive integers equals n 2 . 
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(n + 1) ! = (n + 1) • n ! 

< (n + 1 )n n 

< in + l)(n + 1)" 

< (n + 1)" +1 . 

This completes both the inductive step and the proof. ◄ 

We now show that the principle of mathematical induction follows from the well- 
ordering principle. 

Proof. Let 5 be a set of positive integers containing the integer 1, and the integer n + 1 
whenever it contains n. Assume (for the sake of contradiction) that S is not the set of 
all positive integers. Therefore, there are some positive integers not contained in 5. By 
the well-ordering property, because the set of positive integers not contained in 5 is 
nonempty, there is a least positive integer n that is not in S. Note that n / 1, because 1 
is in S. 

Now, because n > 1 (as there is no positive integer n with n < 1), the integer n — 1 
is a positive integer smaller than n, and hence must be in 5. But because S contains 
« — 1, it must also contain (n — 1) + 1 = n, which is a contradiction, as n is supposedly 
the smallest positive integer not in S. This shows that S must be the set of all positive 
integers. ■ 

A slight variant of the principle of mathematical induction is also sometimes useful 
in proofs. 

Theorem 1.6. The Second Principle of Mathematical Induction. A set of positive 
integers that contains the integer 1, and that has the property that, for every positive 
integer n, if it contains all the positive integers 1, 2 , ,n, then it also contains the 

integer n + 1, must be the set of all positive integers. 

The second principle of mathematical induction is sometimes called strong induc- 
tion to distinguish it from the principle of mathematical induction, which is also called 
weak induction. 

Before proving that the second principle of mathematical induction is valid, we will 
give an example to illustrate its use. 

Example 1.24. We will show that any amount of postage more than one cent can be 
formed using just two-cent and three-cent stamps. For the basis step, note that postage 
of two cents can be formed using one two-cent stamp and postage of three cents can be 
formed using one three-cent stamp. 

For the inductive step, assume that every amount of postage not exceeding n cents, 
n > 3, can be formed using two-cent and three-cent stamps. Then a postage amount of 
n + 1 cents can be formed by taking stamps of n — 1 cents together with a two-cent 
stamp. This completes the proof. ◄ 
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We will now show that the second principle of mathematical induction is a valid 
technique. 

Proof. Let T be a set of integers containing 1 and such that for every positive integer n, 
if it contains 1, 2, . . . , n, it also contains n + 1. Let S be the set of all positive integers 
n such that all the positive integers less than or equal to n are in T. Then 1 is in S, and 
by the hypotheses, we see that if n is in S, then n + 1 is in S. Hence, by the principle 
of mathematical induction, S must be the set of all positive integers, so clearly T is also 
the set of all positive integers, because 5 is a subset of T. m 

Recursive Definitions 

The principle of mathematical induction provides a method for defining the values of 
functions at positive integers. Instead of explicitly specifying the value of the function 
at n, we give the value of the function at 1 and give a rule for finding, for each positive 
integer n, the value of the function at n + 1 from the value of the function at n. 

Definition. We say that the function / is defined recursively if the value of / at 1 is 
specified and if for each positive integer n a mle is provided for determining /(n + 1) 
from fin). 

The principle of mathematical induction can be used to show that a function that is 
defined recursively is defined uniquely at each positive integer (see Exercise 25 at the 
end of this section). We illustrate how to define a function recursively with the following 
definition. 

Example 1.25. We will recursively define the factorial function fin) =n\. First, we 
specify that 

/(l) = I- 

Then we give a rale for finding f(n + 1) from fin) for each positive integer, namely, 
fin + 1) = in + 1) • fin). 

These two statements uniquely define n\ for the set of positive integers. 

To find the value of /(6) = 6! from the recursive definition, use the second property 
successively, as follows: 

/ (6) = 6 • /(5) = 6 • 5 • /(4) = 6 • 5 • 4 • /(3) = 6 • 5 • 4 • 3 • /(2) = 6 ■ 5 • 4 • 3 • 2 • /(l). 

Then use the first statement of the definition to replace /(l) by its stated value 1, to 
conclude that 

6! = 6 - 5 - 4 - 3- 2- 1 = 720. < 

The second principle of mathematical induction also serves as a basis for recursive 
definitions. We can define a function whose domain is the set of positive integers by 
specifying its value at 1 and giving a rale, for each positive integer n, for finding fin) 
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from the values /(y) for each integer j with 1 < j < n — 1. This will be the basis for the 
definition of the sequence of Fibonacci numbers discussed in Section 1.4. 


1.3 Exercises 

1. Use mathematical induction to prove that n <2 n whenever n is a positive integer. 

2. Conjecture a formula for the sum of the first n even positive integers. Prove your result using 
mathematical induction. 

3. Use mathematical induction to prove that Yll=i ) p = ^ + ^ + "' + ^- 2_ n whenever 
n is a positive integer. 

4. Conjecture a formula for J2l=i k(k+i) = ^2 + 2^3“^ + n( ^ +V) from the value of this sum 

for small integers n. Prove that your conjecture is correct using mathematical induction. 
(Compare this to Exercise 17 in Section 1.2.) 

5. Conjecture a formula for A" where A = ^ ^ j ^ . Prove your conjecture using mathematical 
induction. 

6. Use mathematical induction to prove that 1]” =1 j = 1 + 2 + 3 + - — \-n = n(n + l)/2 for 
every positive integer n. (Compare this to Example 1.19 in Section 1.2.) 

7. Use mathematical induction to prove that £"= 1 y 2 = l 2 + 2 2 + 3 2 + ■ ■ ■ + n 2 = 
n(n + 1)(2 n + l)/6 for every positive integer n. 

8 . Use mathematical induction to prove that £"=1 j 3 = l 3 + 2 3 + 3 3 + • • ■ + n 3 = 
[n(n + l)/2] 2 for every positive integer n. 

9. Use mathematical induction to prove that 1]” =1 7 O' + 1) = 1 • 2 + 2 • 3 + • • • + n- 
(n + 1) = n(n + l)(/i + 2)/3 for every positive integer n. 

10. Use mathematical induction to prove that £]" = i(— = l 2 — 2 2 + 3 2 - • • • + 

(— l)" _1 n 2 = (— 1 ) n ~ l n(n + l)/2 for every positive integer n. 

11. Find a formula for n"=i 20 

12. Show that £" =1 j ■ 7! = 1 • 1! + 2 • 2H f n ■ n\ = (n + 1)! - 1 for every positive inte- 

gers. 

13. Show that any amount of postage that is an integer number of cents greater than 1 1 cents can 
be formed using just 4-cent and 5-cent stamps. 

14. Show that any amount of postage that is an integer number of cents greater than 53 cents can 
be formed using just 7-cent and 10-cent stamps. 

Let H n be the nth partial sum of the harmonic series, that is, H n = J2"=i Vj- 

* 15. Use mathematical induction to show that H ln > 1 + n/2. 

* 16. Use mathematical induction to show that H 2 n < 1 + n. 

17. Show by mathematical induction that if n is a positive integer, then (2n)! < 2 2n (n!) 2 . 

18. Use mathematical induction to prove that x — y is a factor of x n — y n , where x and y are 
variables. 
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19. Use the principle of mathematical induction to show that a set of integers that contains the 
integer k, such that this set contains n + 1 whenever it contains n, contains the set of integers 
that are greater than or equal to k. 

20. Use mathematical induction to prove that 2" < n ! for n > 4. 

21. Use mathematical induction to prove that n 2 < n! for n > 4. 

22. Show by mathematical induction that if h > — 1, then 1 + nh < (1 + h) n for all nonnegative 
integers n. 

23. A jigsaw puzzle is solved by putting its pieces together in the correct way. Show that exactly 
n - 1 moves are required to solve a jigsaw puzzle with n pieces, where a move consists of 
putting together two blocks of pieces, with a block consisting of one or more assembled 
pieces. (Hint: Use the second principle of mathematical induction.) 

24. Explain what is wrong with the following proof by mathematical induction that all horses are 
the same color: Clearly all horses in any set of 1 horse are all the same color. This completes 
the basis step. Now assume that all horses in any set of n horses are the same color. Consider 
a set of n + 1 horses, labeled with the integers 1, 2, . . . , n + 1. By the induction hypothesis, 
horses 1, 2, . . . , n are all the same color, as are horses 2, 3, . . . , n, n + 1. Because these two 

sets of horses have common members, namely, horses 2, 3, 4 n, all n + 1 horses must 

be the same color. This completes the induction argument. 

25. Use the principle of mathematical induction to show that the value at each positive integer of 
a function defined recursively is uniquely determined. 

26. What function f(n ) is defined recursively by /( 1) = 2 and f(n + 1) = 2/ (n) for n > 1? 
Prove your answer using mathematical induction. 

27. If g is defined recursively by g(l) = 2 and g(n) = 2 g(w-1) for n > 2, what is g( 4)? 

28. Use the second principle of mathematical induction to show that if /(l) is specified and a 
rule for finding f(n + 1) from the values of f at the first n positive integers is given, then 
f(n ) is uniquely determined for every positive integer n. 

29. We define a function recursively for all positive integers n by /( 1) = 1, /( 2) = 5, and 
for n>2, f(n + 1) = f(n ) + 2 f(n — 1). Show that f(n ) = 2 n + ( — 1)", using the second 
principle of mathematical induction. 

30. Show that 2 n > n 2 whenever n is an integer greater than 4. 

31. Supposethata 0 = 1,^ = 3,a 2 =9, anda„ =a n _ l + a n _ 2 + a n _ 3 forn > 3.Showthata„ <3* 
for every nonnegative integer n. 

32. The tower of Hanoi was a popular puzzle of the late nineteenth century. The puzzle includes 
three pegs and eight rings of different sizes placed in order of size, with the largest on the 
bottom, on one of the pegs. The goal of the puzzle is to move all of the rings, one at a time, 
without ever placing a larger ring on top of a smaller ring, from the first peg to the second, 
using the third as an auxiliary peg. 

a) Use mathematical induction to show that the minimum number of moves to transfer n 
rings from one peg to another, with the rules we have described, is 2 n — 1. 

b) An ancient legend tells of the monks in a tower with 64 gold rings and 3 diamond pegs. 
They started moving the rings, one move per second, when the world was created. When 
they finish transferring the rings to the second peg, the world will end. How long will the 
world last? 
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* 33. The arithmetic mean and the geometric mean of the positive real numbers a h a 2 , . . . , a n 

are A = (a x + a 2 + ■ • ■ + a n )/n and G = (a t a 2 • • • a n )^ n , respectively. Use mathematical 
induction to prove that A > G for every finite sequence of positive real numbers. When does 
equality hold? 

34. Use mathematical induction to show that a 2” x 2” chessboard with one square missing can 
be covered with L-shaped pieces, where each L-shaped piece covers three squares. 

* 35. A unit fraction is a fraction of the form l/n, where n is a positive integer. Because the 

ancient Egyptians represented fractions as sums of distinct unit fractions, such sums are called 
Egyptian fractions. Show that every rational number p/q, where p and q are integers with 
0 < p <q, can be written as a sum of distinct unit fractions, that is, as an Egyptian fraction. 
(Hint: Use strong induction on the numerator p to show that the greedy algorithm that adds 
the largest possible unit fraction at each stage always terminates. For example, running this 
algorithm shows that 5/7 = 1/2 + 1/5 + 1/70.) 

36. Using the algorithm in Exercise 35, write each of these numbers as Egyptian fractions, 
a) 2/3 b) 5/8 c) 11/17 d) 44/101 

Computations and Explorations 

1. Complete the basis and inductive steps, using both numerical and symbolic computation, to 
prove that £]"=i J = n ( n + l)/2 for all positive integers n. 

2. Complete the basis and inductive steps, using both numerical and symbolic computation, to 
prove that 5Z"=i J 2 = n ( n + 1) (2« + l)/6 for all positive integers n. 

3. Complete the basis and inductive steps, using both numerical and symbolic computation, to 
prove that £]"=i J 3 = ( n ( n + l)/2) 2 for all positive integers n. 

4. Use the values Y?j= \ J 4 for n = 1, 2, 3, 4, 5, 6 to conjecture a formula for this sum that is a 
polynomial of degree 5 in n. Attempt to prove your conjecture via mathematical induction 
using numerical and symbolic computation. 

5. Paul Erdos and E. Strauss have conjectured that the fraction 4/n can be written as the sum 
of three unit fractions, that is, 4/n = l/x + 1 /y + 1 /z, where x, y, and z are distinct positive 
integers for all integers n with n > 1. Find such representation for as many positive integers 
n as you can. 

6. It is conjectured that the rational number p/q, where p and q are integers with 0 < p <q 
and q is odd, can be expressed as an Egyptian fraction that is the sum of unit fractions 
with odd denominators. Explore this conjecture using the greedy algorithm that successively 
adds the unit fraction with the least positive odd denominator q at each stage. (For example, 
2/7= 1/5 + 1/13 + 1/115+ 1/10,465.) 

Programming Projects 

* 1. List the moves in the tower of Hanoi puzzle (see Exercise 32). If you can, animate these 

moves. 

* * 2. Cover a 2" x 2" chessboard that is missing one square using L-shaped pieces (see Exercise 

34). 
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3. Given a rational number p/q, express p/q as an Egyptian fraction using the algorithm 
described in Exercise 35. 


1 .4 The Fibonacci Numbers 

In his book Liber Abaci, written in 1202, the mathematician Fibonacci posed a problem 
concerning the growth of the number of rabbits in a certain area. This problem can be 
phrased as follows: A young pair of rabbits, one of each sex, is placed on an island. 
Assuming that rabbits do not breed until they are two months old and after they are two 
months old, each pair of rabbits produces another pair each month, how many pairs are 
there after n months? 

Let /„ be the number of pairs of rabbits after n months. We have /i = 1 because 
only the original pair is on the island after one month. As this pair does not breed during 
the second month, f 2 = 1. To find the number of pairs after n months, add the number 
on the island the previous month, f n _ h to the number of newborn pairs, which equals 
fn-2> because each newborn pair comes from a pair at least two months old. This leads 
to the following definition. 

f Definition, The Fibonacci sequence is defined recursively by f\ =1, f 2 = 1, and 
f n = f n _i + 2 for n> 3. The terms of this sequenceare called the Fibonacci numbers. 


The mathematician Edouard Lucas named this sequence after Fibonacci in the 
nineteenth century when he established many of its properties. The answer to Fibonacci’s 
question is that there are f n rabbits on the island after n months. 

Examining the initial terms of the Fibonacci sequence will be useful as we study 
their properties. 


Example 1.26. We compute the first ten Fibonacci numbers as follows: 



diophantme equations. 


FIBONACCI (c. 1180-1228) (short for filus Bonacci, son of Bonacci), also 
known as Leonardo of Pisa, was bom in the Italian commercial center of Pisa. 
Fibonacci was a merchant who traveled extensively throughout the Mideast, 
where he came into contact with mathematical works from the Arabic world. 
In bis Liber Abaci Fibonacci introduced Arabic notation for numerals and their 
algorithms for arithmetic into the European world. It was in this book that his 
famous rabbit problem appeared. Fibonacci also wrote Practica geometriae, 
a treatise on geometry and trigonometry, and Liber quadratorum, a book on 
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h — fi + f\ = 1+ 1 = 2, 

U = h + fi = 2 + 1 = 3, 

/ 5 = /4 + / 3 = 3 + 2 = 5, 

/6 = / 5 + /4 = 5 + 3 = 8, 

/? = /e + /s = 8 + 5 = 13, 

/8 = / 7 + /6 = 13+8 = 21, 

/9 = /s + fi = 21 + 13 = 34, 

/io = /9 + /s = 34 + 21 = 55. < 

We can define the value of f Q = 0, so that f 2 = f\ + /o- We can also define /„ where 
n is a negative number so that the equality in the recursive definition is satisfied (see 
Exercise 37). 

The Fibonacci numbers occur in an amazing variety of applications. For example, 
in botany the number of spirals in plants with a pattern known as phyllotaxis is always 
a Fibonacci number. They occur in the solution of a tremendous variety of counting 
problems, such as counting the number of bit strings with no two consecutive Is (see 
[Ro07]). 

The Fibonacci numbers also satisfy an extremely large number of identities. For 
example, we can easily find an identity for the sum of the first n consecutive Fibonacci 
numbers. 

Example 1.27. The sum of the first n Fibonacci numbers for 3 < n < 8 equals 1, 2, 4, 
7, 12, 20, 33, and 54. Looking at these numbers, we see that they are all just 1 less than 
the Fibonacci number f n+2 . This leads us to the conjecture that 

£/* = /„+ 2 - 1 - 
k = 1 

Can we prove this identity for all positive integers n? 

We will show, in two different ways, that this identity does hold for all integers n. 
We provide two different demonstrations, to show that there is often more than one way 
to prove that an identity is true. 

First, we use the fact that /„ = f n _\ + f n _ 2 for n = 2, 3, . . . to see that /* = 
f k+2 — 1 for k = 1, 2, 3, This means that 

n n 

T.fk = y^Xfk+2 - fk+l)- 

k= 1 k= 1 

We can easily evaluate this sum because it is telescoping. Using the formula for a 
telescoping sum found in Section 1.2, we have 

n 

Y. fk = fn+2 ~ f 2- fn+2 ~ 1- 
fc=l 
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This proves the result. 

We can also prove this identity using mathematical induction. The basis step holds 
because f k = 1 and this equals f 1+2 — l = / 3 — 1 = 2— 1=1. The inductive 
hypothesis is 

E /* = /.+: 2->' 

k=l 

We must show that, under this assumption, 

w+l 

£/* = /«+ 3 - 1 - 
k= 1 

To prove this, note that by the inductive hypothesis we have 
n + 1 / " \ 

51 = ( 51 ) + /w+l 

*=1 H =1 ' 

= (/w+2 “ 1) + /w+l 
= (/w+l + /w+2) - 1 

= fn+3 ~ 1- ◄ 

The exercise set at the end of this section asks you to prove many other identities of 
the Fibonacci numbers. 

How Fast Do the Fibonacci Numbers Grow? 

The following inequality, which shows that the Fibonacci numbers grow faster than a 
geometric series with common ratio a = (1 + V5) /2, will be used in Chapter 3. 

Example 1.28. We can use the second principle of mathematical induction to prove 
that f n > a n ~ 2 for n > 3 where a = (1 + V5) /2. The basis step consists of verifying this 
inequality for n = 3 and n = 4. We have a < 2 = / 3 , so the theorem is true for n = 3. 
Because a 2 = (3 + V5) /2 < 3 = / 4 , the theorem is true for n = 4. 

The inductive hypothesis consists of assuming that a* -2 < f k for all integers k with 
k < n. Because a = (1 + V5) /2 is a solution of x 2 — x — 1 = 0, we have a 2 = a + 1. 
Hence, 

a n ~ 1 = a 2 ■ a” -3 = (a + 1) • a w “ 3 = a n ~ 2 + a n ~ 3 . 

By the inductive hypothesis, we have the inequalities 

< /w-l- 

By adding these two inequalities, we conclude that 

<x n ~ l <fn + fn-l = /w+l- 


This finishes the proof. 
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We conclude this section with an explicit formula for the nth Fibonacci number. We 
will not provide a proof in the text, but Exercises 41 and 42 at the end of this section 
outline how this formula can be found using linear homogeneous recurrence relations 
and generating functions, respectively. Furthermore, Exercise 40 asks that you prove this 
identity by showing that the terms satisfy the same recursive definition as the Fibonacci 
numbers do, and Exercise 45 asks for a proof via mathematical induction. The advantage 
of the first two approaches is that they can be used to find the formula, while the second 
two approaches cannot. 


Theorem 1.7. Let n be a positive integer and let a = and 0 Then the 

nth Fibonacci number f n is given by 




n. 


We have presented a few important results involving the Fibonacci numbers. There 
is a vast literature concerning these numbers and their many applications to botany, 
computer science, geography, physics, and other areas (see [Va89]). There is even a 
scholarly journal, The Fibonacci Quarterly, devoted to their study. 


1.4 Exercises 

1. Find the following Fibonacci numbers. 

a) /io c ) fis e ) /20 

b) fn d) f n f) f 25 

2. Find each of the following Fibonacci numbers. 

a) fn c) /24 e) / 32 

b) /16 d) / 30 f) /36 

3. Prove that /„ +3 + f n — 2 f n+2 whenever n is a positive integer. 

4. Prove that /„ +3 - /„ = 2 f n+1 whenever n is a positive integer. 

5. Prove that f 2n = / 2 + 2 f n -\f n whenever n is a positive integer. (Recall that f 0 = 0.) 

6. Prove that /„_ 2 + f n+2 = 3 /„ whenever n is an integer with n > 2. (Recall that / 0 = 0.) 

7. Find and prove a simple formula for the sum of the first n Fibonacci numbers with odd indices 

when n is a positive integer. That is, find a simple formula for f + / 3 + 1- fin-i- 

8. Find and prove a simple formula for the sum of the first n Fibonacci numbers with even 
indices when n is a positive integer. That is, find a simple formula for / 2 + h + ■ ■ ■ + hn- 

9. Find and prove a simple formula for the expression /„ — f n -\ + f n - 2 F ( — l)” +1 /i 

when n is a positive integer. 

10. Prove that / 2n+1 = / 2 +1 + / 2 whenever n is a positive integer. 

11. Prove that = / 2 +1 — / 2 _j whenever n is a positive integer. (Recall that f 0 = 0.) 

12. Prove that /„ + f n _\ + f n _ 2 + 2 /„_ 3 + 4 /„_ 4 + 8 /„_ 5 + • • • + 2” -3 = 2" -1 whenever n is 
an integer with n > 3. 

13. Prove that X!"=i ff — f\ + / 2 H h /„ 2 = / n / n +i for every positive integer n. 
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14. Prove that fn+lfn-l ~fl = (— 1)" for every positive integer n. 

15. Prove that f n+ if n — f n -if n -2 = hn-i for every positive integer n,n> 2. 

16. Prove that fj 2 + hh H 1 " fln-ifln = /£, if n is a positive integer. 

17. Prove that f m+n = f m f n+ j + f n f m _\ whenever m and n are positive integers. 

Qj The Lucas numbers, named after Frangois-Eduoard-Anatole Lucas (see Chapter 7 for a biogra- 
phy), are defined recursively by 


L n = L n -i + L n _ 2 , n> 3, 


with Li = 1 and L 2 = 3. They satisfy the same recurrence relation as the Fibonacci numbers, but 

the two initial values are different. 

18. Find the first 12 Lucas numbers. 

19. Find and prove a formula for the sum of the first n Lucas numbers when n is a positive integer. 

20. Find and prove a formula for the sum of the first n Lucas numbers with odd indices when n 
is a positive integer. 

21. Find and prove a formula for the sum of the first n Lucas numbers with even indices when n 
is a positive integer. 

22. Prove that L\ - L n+1 L n _ l = 5(-l) n when n is an integer with n > 2. 

23. Prove that L\ + L* H 1- L? n = L n L n+ \ - 2 when n is an integer with n > 1. 

24. Show that the nth Lucas number L n is the sum of the (n + l)st and (n — l)st Fibonacci 
numbers, f n+i and f n _ h respectively. 

25. Show that f 2n = f n L n for all integers n with n > 1, where /„ is the nth Fibonacci number 
and L n is the nth Lucas number. 

26. Prove that 5/„ + i = L n + L n+1 whenever n is a positive integer, /„ is the nth Fibonacci 
number, and L n is the nth Lucas number. 

* 27. Prove that L m+n = f m+ \L n + f m L n _ j whenever m and n are positive integers with n > 1, /„ 
is the nth Fibonacci number, and L n is the nth Lucas number. 

28. Show that L n , the nth Lucas number, is given by 


L n = OL n + fi n , 


where a = (1 + \/5)/2 and /J = (1 - \/5)/2. 

The Zeckendorf representation of a positive integer is the unique expression of this integer as the 
sum of distinct Fibonacci numbers, where no two of these Fibonacci numbers are consecutive 
terms in the Fibonacci sequence and where the term /j = 1 is not used (but the term f 2 = 1 may 
be used). 

29. Find the Zeckendorf representation of each of the integers 50, 85, 110, and 200. 

* 30. Show that every positive integer has a unique Zeckendorf representation. 

31. Show that /„ < a" -1 for every integer n with n > 2, where a = (1 + >/5)/2. 

32. Show that 
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where n is a nonnegative integer and f n+x is the (n + 1) st Fibonacci number. (See Appendix B 
for a review of binomial coefficients. Here, the sum ends with the term •) 

33. Prove that whenever n is a nonegative integer, Yfj= x (j'j fj = f 2 n> where fj is the jth 
Fibonacci number. 

34. Let F = ^ . Show that F" = ^ ^ +1 j n i ) when n e Z+. 

35. By taking determinants of both sides of the result of Exercise 34, prove the identity in 
Exercise 14. 

36. Define the generalized Fibonacci numbers recursively by g x = a, g 2 = b, and g n = g n -\ + 
Sn-2 for n > 3 . Show that g n = af n _ 2 + bf n _ x for n > 3. 

37. Give a recursive definition of the Fibonacci number f n when n is a negative integer. Use your 
definition to find f n for « = — 1, —2, —3, . . . , — 10. 

38. Use the results of Exercise 37 to formulate a conjecture that relates the values of /_„ and f n 
when n is a positive integer. Prove this conjecture using mathematical induction. 

39. What is wrong with the claim that an 8 x 8 square can be broken into pieces that can be 
reassembled to form a 5 x 13 rectangle as shown? 




(Hint: Look at the identity in Exercise 14. Where is the extra square unit?) 

40. Show that if a n = ^(a" - P n ), where a = (14- y/5)/2 and P = (1 - y/5)/2, then a n = 
a n _ x + a n _ 2 and a x = a 2 = 1. Conclude that f n = a n , where /„ is the nth Fibonacci number. 

A linear homogeneous recurrence relation of degree 2 with constant coefficients is an equation 
of the form 

a n = c l a n-l + c 2 a n-2> 

where c x and c 2 are real numbers with c 2 / 0. It is not difficult to show (see [Ro07]) that if the 
equation r 2 — c\r — c 2 = 0 has two distinct roots r x and r 2 , then the sequence {a n } is a solution of 
the linear homogeneous recurrence relation a n = c x a n _ x + c 2 a n _ 2 if and only if a n = C x r + C 2 r £ 
for n = 0, 1, 2, ... , where C x and C 2 are constants. The values of these constants can be found 
using the two initial terms of the sequence. 

41. Find an explicit formula for /„, proving Theorem 1.7, by solving the recurrence relation 
f n = fn- 1 + fn- 2 for n = 2, 3, . . . with initial conditions / 0 = 0 and f x = 1. 

The generating function for the sequence a Q , a x , a k , ... is the infinite series 

00 

G(x) = J2 a kX k ■ 

k = o 
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42. Use the generating function G(jc) = YlkLo /*** where f k is the kth Fibonacci number to find 
an explicit formula for f k , proving Theorem 1.7. (Hint: Use the fact that f k = f k _ x + f k _ 2 
for k = 2, 3, . . . to show that G(jc) - jcG(jc) - x 2 G(x) = x. Solve this to show that G(x) = 
x / (\ — x — x 2 ) and then write G(jc) in terms of partial fractions, as is done in calculus.) (See 
[Ro07] for information on using generating functions.) 

43. Find an explicit formula for the Lucas numbers using the technique of Exercise 41. 

44. Find an explicit formula for the Lucas numbers using the technique of Exercise 42. 

45. Use mathematical induction to prove Theorem 1.7. 


Computations and Explorations 

1. Find the Fibonacci numbers / 100 , f 200 , and / 500 . 

2. Find the Lucas numbers L 100 , L 2 oo> an d L 500 . 

3. Examine as many Fibonacci numbers as possible to determine which are perfect squares. 
Formulate a conjecture based on your evidence. 

4. Examine as many Fibonacci numbers as possible to determine which are triangular numbers. 
Formulate a conjecture based on your evidence. 

5. Examine as many Fibonacci numbers as possible to determine which are perfect cubes. 
Formulate a conjecture based on your evidence. 

6. Find the largest Fibonacci number less than 10,000, less than 100,000, and less than 

1 , 000 , 000 . 

7. A surprising theorem states that the Fibonacci numbers are the positive values of the polyno- 
mial 2xy 4 + x 2 y 3 - 2x 3 y 2 - y 5 - x 4 y + 2y as x and y range over all nonnegative integers. 
Verify this conjecture for the values of x and y where x and y are nonnegative integers with 
x + y < 100. 


Programming Projects 

1. Given a positive integer n, find the first n terms of the Fibonacci sequence. 

2. Given a positive integer n, find the first n terms of the Lucas sequence. 

3. Give a positive integer n, find its Zeckendorf representation (defined in the preamble to 
Exercise 29). 


1.5 Divisibility 

The concept of the divisibility of one integer by another is central in number theory. 

Definition. If a and b are integers with a ^ 0, we say that a divides b if there is an 
integer c such that b = ac. If a divides b, we also say that a is a divisor or factor of b 
and that b is a multiple of a. 
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If a divides b we write a \ b, and if a does not divide b we write a / b. (Be careful 
not to confuse the notations a \ b, which denotes that a divides b, and a/b, which is the 
quotient obtained when a is divided by b .) 

Example 1.29. The following statements illustrate the concept of the divisibility of 
integers: 13 | 182, -5 | 30, 17 | 289, 6 / 44, 7 / 50, -3 | 33, and 17 | 0. ◄ 

Example 1.30. The divisors of 6 are ± 1, ±2, ±3, ±6. The divisors of 17 are ± 1, ± 17. 
The divisors of 100 are ± 1, ±2, ±4, ±5, ± 10, ±20, ±25, ±50, ± 100. ◄ 

In subsequent chapters, we will need some simple properties of divisibility, which 
we now state and prove. 

Theorem 1.8. If a, b, and c are integers with a \ b and b \ c, then a \ c. 

Proof. Because a \ b and b \ c, there are integers e and / such that ae = b and bf = c. 
Hence, c = bf = ( ae)f = a(ef), and we conclude that a \ c. m 

Example 1.31. Because 1 1 1 66 and 66 | 198, Theorem 1.8 tells us that 11 1 198. ◄ 

Theorem 1.9. If a, b, m, and n are integers, and if c \ a and c \ b, then c | ( ma + nb). 

Proof. Because c \ a and c \ b, there are integers e and / such that a =ce and b = cf. 
Hence, ma + nb = mce + ncf = c(me + nf). Consequently, we see that c \ (ma + nb). 


Example 1.32. As 3 | 21 and 3 | 33, Theorem 1.9 tells us that 3 divides 

5 • 21 - 3 • 33 = 105 - 99 = 6. ◄ 

The following theorem states an important fact about division. 

Theorem 1.10. The Division Algorithm. If a and b are integers such that b > 0, then 
there are unique integers q and r such that a = bq + r with 0 < r < b. m 

In the equation given in the division algorithm, we call q the quotient and r the 
remainder. We also call a the dividend and b the divisor. (Note: We use the traditional 
name for this theorem even though the division algorithm is not actually an algorithm. 
We discuss algorithms in Section 2.2.) 

We note that a is divisible by b if and only if the remainder in the division algorithm 
is 0. Before we prove the division algorithm, consider the following examples. 

Example 1.33. If a = 133 and b = 21, then q = 6 and r = 7, because 133 = 21 • 6 ± 7 
and 0 < 7 < 21. Likewise, if a = — 50 and b = 8, then q = —7 and r = 6, because 
-50 = 8( — 7) ± 6 and 0 < 6 < 8. ◄ 


We now prove the division algorithm using the well-ordering property. 



The Integers 


Proof. Consider the set S of all integers of the form a — bk where k is an integer, that 
is, S = {a — bk \ k £ Z}. Let T be the set of all nonnegative integers in S. T is nonempty, 
because a — bk is positive whenever k is an integer with k <a/b. 

By the well-ordering property, T has a least element r = a —bq. (These are the 
values for q and r specified in the theorem.) We know that r > 0 by construction, and 
it is easy to see that r < b. If r > b, then r > r — b = a — bq - b = a — b(q + 1) > 0, 
which contradicts the choice of r = a — bq as the least nonnegative integer of the form 
a — bk. Hence, 0 <r <b. 

To show that these values for q and r are unique, assume that we have two equations 
a = bq x + r x and a = bq 2 + r 2 , with 0 < r x < b and 0 < r 2 < b. By subtracting the second 
of these equations from the first, we find that 

0 = b(q l -q 2 ) + (r l -r 2 ). 

Hence, we see that 

r 2 — r \ — b(q x - q 2 ). 

This tells us that b divides r 2 — r x . Because 0 < r x < b and 0 < r 2 < b, we have —b < 
r 2 — r x < b. Hence, b can divide r 2 — r x only if r 2 — r x = 0 or, in other words, if r x = r 2 . 
Because bq x + r x = bq 2 + r 2 and r x = r 2 , we also see that q x = q 2 . This shows that the 
quotient q and the remainder r are unique. ■ 

We now use the greatest integer function (defined in Section 1.1) to give explicit 
formulas for the quotient and remainder in the division algorithm. Because the quotient 
q is the largest integer such that bq < a, and r = a — bq, it follows that 

(1.4) q = [a/b\, r = a-b[a/b ]. 

The following examples display the quotient and remainder of a division. 

Example 1.34. Let a = 1028 and b = 34. Then a = bq +r with 0 <r <b, where 
q = [1028/34] = 30 and r = 1028 - [1028/34] • 34 = 1028 - 30 • 34 = 8. ◄ 

Example 1.35. Let a = -380 and b = 75. Then a=bq +r with 0 <r < b, where 
q = [-380/75] = -6 and r = -380 - [-380/75] • 75 = -380 - (-6)75 = 70. ◄ 

We can use Equation (1.4) to prove a useful property of the greatest integer function. 

Example 1.36. Show that if n is a positive integer, then [x/n] = [[x]/n] whenever x 
is a real number. To prove this identity, suppose that [x] = m. By the division algorithm, 
we have integers q and r such that m =nq + r, where 0 < r < n — 1. By Equation (1.4), 
we have q = [[x]/n]. Because [x] < x < [x] + 1, it follows that x = [x] + e, where 
0 < e < 1. We see that [x/n] = [([x] + e)/n\ = [( m + e)/n] = [(( nq + r) + e)/n ] = 
[q + (r + e)/n\. Because 0 < e < 1, we have 0 < r + e < (n — 1) + 1 = n. It follows 
that [x/n] = [q]. ◄ 

Given a positive integer d, we can classify integers according to their remainders 
when divided by d. For example, with d = 2, we see from the division algorithm that 
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every integer when divided by 2 leaves a remainder of either 0 or 1. This leads to the 
following definition of some common terminology. 

Definition. If the remainder when n is divided by 2 is 0, then n = 2k for some integer 
k, and we say that n is even, whereas if the remainder when n is divided by 2 is 1, then 
n = 2k + 1 for some integer k, and we say that n is odd. 

Similarly, when d = 4, we see from the division algorithm that when an integer n 
is divided by 4, the remainder is either 0, 1, 2, or 3. Hence, every integer is of the form 
4 k, 4 k + 1, 4k + 2, or 4k + 3, where k is a positive integer. 

We will pursue these matters further in Chapter 4. 

Greatest Common Divisors 

If a and b are integers, not both 0, then the set of common divisors of a and b is a finite 
set of integers, always containing the integers + 1 and — 1. We are interested in the largest 
integer among the common divisors of the two integers. 

Definition. The greatest common divisor of two integers a and b, which are not both 
0, is the largest integer that divides both a and b. 

The greatest common divisor of a and b is written as (a, b). (Note that the notation 
gcd(a, b) is also used, especially outside of number theory. We will use the traditional 
notation {a , b) here, even though it is the same notation used for ordered pairs.) Note that 
(0, n) = (n, 0) = n whenever n is a positive integer. Even though every positive integer 
divides 0, we define (0, 0) = 0. This is done to ensure that the results we prove about 
greatest common divisors hold in all cases. 

Example 1.37. The common divisors of 24 and 84 are ±1, ±2, ±3, ±4, ±6, and 
±12. Hence, (24, 84) = 12. Similarly, looking at sets of common divisors, we find 
that (15, 81) = 3, (100, 5) = 5, (17, 25) = 1, (0, 44) = 44, (-6, -15) = 3, and 
(-17, 289) = 17. ◄ 

We are particularly interested in pairs of integers sharing no common divisors greater 
than 1. Such pairs of integers are called relatively prime. 

Definition. The integers a and b, with a 0 and b ^ 0, are relatively prime if a and b 
have greatest common divisor (a, b) = 1. 

Example 1.38. Because (25, 42) = 1, 25 and 42 are relatively prime. ◄ 

We will study greatest common divisors at length in Chapter 4. In that chapter, we 
will give an algorithm for computing greatest common divisors. We will also prove many 
important results about them that lead to key theorems in number theory. 
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1.5 Exercises 

1. Show that 3 | 99, 5 | 145, 7 | 343, and 888 | 0. 

2 . Show that 1001 is divisible by 7, by 1 1 , and by 13. 

3. Decide which of the following integers are divisible by 7. 

a) 0 c) 1717 e) -285,714 

b) 707 d) 123,321 f) -430,597 

4 . Decide which of the following integers are divisible by 22. 

a) 0 c) 1716 e) -32,516 

b) 444 d) 192,544 f) -195,518 

5. Find the quotient and remainder in the division algorithm, with divisor 17 and dividend 

a) 100. b) 289. c) -44. d) -100. 

6. Find all positive integers that divide each of these integers, 

a) 12 b) 22 c) 37 d)41 

7. Find all positive integers that divide each of these integers, 

a) 13 b) 21 c) 36 d)44 

8. Find these greatest common divisors by finding all positive integers that divide each integer 
in the pair and selecting the largest that divides both. 

a) (8, 12) b) (7, 9) c) (15, 25) d) (16, 27) 

9 . Find these greatest common divisors by finding all positive integers that divide each integer 
in the pair and selecting the largest that divides both. 

a) (11, 22) b) (36, 42) c)(21,22) d) (16, 64) 

10 . Find all positive integers less than 10 that are relatively prime to it. 

11 . Find all positive integers less than 1 1 that are relatively prime to it. 

12 . Find all pairs of positive integers not exceeding 10 that are relatively prime. 

13 . Find all pairs of positive integers between 10 and 20, inclusive, that are relatively prime. 

14 . What can you conclude if a and b are nonzero integers such that a \ b and b\al 

15 . Show that if a, b, c, and d are integers with a and c nonzero, such that a \ b and c \ d, then 
ac | bd. 

16 . Are there integers a , b, and c such that a \ be, but a X b and a X cl 

17. Show that if a, b, and c # 0 are integers, then a\bif and only if ac \ be. 

18 . Show that if a and b are positive integers and a \ b, then a < b. 

19 . Show that if a and b are integers such that a \b, then a k \ b k for every positive integer k. 

20 . Show that the sum of two even or of two odd integers is even, whereas the sum of an odd and 
an even integer is odd. 

21 . Show that the product of two odd integers is odd, whereas the product of two integers is even 
if either of the integers is even. 

22 . Show that if a and b are odd positive integers and b X a, then there are integers s and t such 
that a = bs + t, where t is odd and \t \<b. 
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23. When the integer a is divided by the integer b, where b > 0, the division algorithm gives a 
quotient of q and a remainder of r . Show that if b / a, when —a is divided by b, the division 
algorithm gives a quotient of — (q + 1) and a remainder of b — r, whereas ifb\a, the quotient 
is —q and the remainder is 0. 

24. Show that if a, b, and c are integers with b > 0 and c > 0, such that when a is divided by b 
the quotient is q and the remainder is r, and when q is divided by c the quotient is t and the 
remainder is s, then when a is divided by be, the quotient is t and the remainder is bs + r. 

25. a) Extend the division algorithm by allowing negative divisors. In particular, show that 

whenever a and b ^ 0 are integers, there are unique integers q and r such that a = bq + r, 
where 0 < r < \ b \ . 

b) Find the remainder when 17 is divided by -7. 

»■ 26. Show that if a and b are positive integers, then there are unique integers q and r such that 
a = bq +r, where —b/2 < r < b/ 2. This result is called the modified division algorithm. 

27. Show that if m and n > 0 are integers, then 
[^•] if m kn - 1 for some integer k; 

[^•] +1 if m = kn — 1 for some integer k. 

28. Show that the integer n is even if and only if n — 2[n/2] = 0. 

29. Show that the number of positive integers less than or equal to x, where x is a positive real 
number, that are divisible by the positive integer d equals [jc /d], 

30. Find the number of positive integers not exceeding 1000 that are divisible by 5, by 25, by 
125, and by 625. 

31. How many integers between 100 and 1000 are divisible by 7? by 49? 

32. Find the number of positive integers not exceeding 1000 that are not divisible by 3 or 5. 

33. Find the number of positive integers not exceeding 1000 that are not divisible by 3, 5, or 7. 

34. Find the number of positive integers not exceeding 1000 that are divisible by 3 but not by 4. 

35. In early 2010, to mail a first-class letter in the United States of America it cost 44 cents for 
the first ounce and 17 cents for each additional ounce or fraction thereof. Find a formula 
involving the greatest integer function for the cost of mailing a letter in early 2010. Could it 
possibly have cost $1.81 or $2.65 to mail a first-class letter in the United States of America 
in early 2010? 

36. Show that if a is an integer, then 3 divides a 3 — a. 

37. Show that the product of two integers of the form 4k + 1 is again of this form, whereas the 
product of two integers of the form 4k + 3 is of the form 4k + 1. 

38. Show that the square of every odd integer is of the form 8fc + 1. 

39. Show that the fourth power of every odd integer is of the form 16 k + 1. 

40. Show that the product of two integers of the form 6k + 5 is of the form 6k + 1. 

41. Show that the product of any three consecutive integers is divisible by 6. 

42. Use mathematical induction to show that n 5 — n is divisible by 5 for every positive integer n. 

43. Use mathematical induction to show that the sum of the cubes of three consecutive integers 
is divisible by 9. 
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In Exercises 44-48, let /„ denote the nth Fibonacci number. 

44 . Show that /„ is even if and only if n is divisible by 3. 

45 . Show that /„ is divisible by 3 if and only if n is divisible by 4. 

46 . Show that /„ is divisible by 4 if and only if n is divisible by 6. 

47 . Show that /„ = 5 /„_ 4 + 3 /„_ 5 whenever n is a positive integer with n > 5. Use this result to 
show that /„ is divisible by 5 whenever n is divisible by 5. 

48 . Showthat f n+m = f m f n+ 1 + whenever m and n are positive integers with m > l.Use 

this result to show that f n \ f m when m and n are positive integers with n\m. 

Let n be a positive integer. We define 

{ n/2 if n is even; 

(3n + l)/2 if n is odd. 

We then form the sequence obtained by iterating T: n, T(n), T(T(nj), T(T(T(n))), 
.... For instance, starting with n =7, we have 7, 11, 17, 26, 13, 20, 10, 5, 8, 4, 2, 1, 2, 
1, 2, 1, .... A well-known conjecture, sometimes called the Collatz conjecture, asserts that the 
sequence obtained by iterating T always reaches the integer 1 no matter which positive integer n 
begins the sequence. 

49 . Find the sequence obtained by iterating T starting with n = 39. 

50 . Show that the sequence obtained by iterating T starting with n = (2^ — l)/3, where it is a 
positive integer greater than 1, always reaches the integer 1. 

51 . Show that the Collatz conjecture is true if it can be shown that for every positive integer n 
with n> 2 there is a term in the sequence obtained by iterating T that is less than n. 

52 . Verify that there is a term in the sequence obtained by iterating T, starting with the positive 
integer n, that is less than n for all positive integers n with 2 <n< 100. (Hint: Begin by 
considering sets of positive integers for which it is easy to show that this is true.) 

53 . Show that [(2 + V3)" ] is odd whenever n is a nonnegative integer. 

54 . Determine the number of positive integers n such that [a/2] + [a/3] + [a/5] = a, where, as 
usual, [x] is the greatest integer function. 

55. Prove the divison algorithm using the second principle of mathematical induction. 

Computations and Explorations 

1 . Find the quotient and remainder when 111,111,111,111 is divided by 987,654,321. 

2. Verify the Collatz conjecture described in the preamble to Exercise 49 for all integers n not 
exceeding 10,000. 

3. Using numerical evidence, what sort of conjectures can you make concerning the number of 
iterations needed before the sequence of iterations T (n) reaches 1 , where n is a given positive 
integer? 

4. Using numerical evidence, make conjectures about the divisibility of Fibonacci numbers by 
7, by 8, by 9, by 11, and by 13. 
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Programming Projects 

1. Decide whether an integer is divisible by a given integer. 

2. Find the quotient and remainder in the division algorithm. 

3. Find the quotient, remainder, and sign in the modified division algorithm given in Exercise 26. 

4. Compute the terms of the sequence n,T(n),T(T ( n )), T ( T ( T (n))), ... for a given positive 
integer n, as defined in the preamble to Exercise 49. 
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Integer Representations 
and Operations 


T he way in which integers are represented has a major impact on how easily people 
and computers can do arithmetic with these integers. The purpose of this chapter is to 
explain how integers are represented using base b expansions, and how basic arithmetic 
operations can be carried out using these expansions. In particular, we will show that 
when b is a positive integer, every positive integer has a unique base b expansion. For 
example, when b is 10, we have the decimal expansion of an integer; when b is 2, we 
have the binary expansion of this integer; and when b is 16, we have the hexadecimal 
expansion. We will describe a procedure for finding the base b expansion of an integer, 
and describe the basic algorithms used to carry out integer arithmetic with base b 
expansions. Finally, after introducing big-0 notation, we will analyze the computational 
complexity of these basic operations in terms of big-0 estimates of the number of bit 
operations that they use. 


2.1 Representations of Integers 

In daily life, we use decimal notation to represent integers. We write out numbers using 
digits to represent powers of ten. For instance, when we write out the integer 37,465, we 
mean 

3 • 10 4 + 7 • 10 3 + 4 • 10 2 + 6 • 10 + 5. 

Decimal notation is an example of a positional number system, in which the position 
a digit occupies in a representation determines the quantity it represents. Throughout 
ancient and modem history, many other notations for integers have been used. For 
example, Babylonian mathematicians who lived more than 3000 years ago expressed 
integers using sixty as a base. The Romans employed Roman numerals, which are used 
even today to represent years. The ancient Mayans used a positional notation with twenty 
as a base. Many other systems of integer notation have been invented and used over time. 

There is no special reason for using ten as the base in a fixed positional number 
system, other than that we have ten fingers. As we will see, any positive integer greater 
than 1 can be used as a base. With the invention and proliferation of computers, bases 
other than ten have become increasingly important. In particular, base 2, base 8, and base 
16 representations of integers are used extensively by computers for various purposes. 

In this section, we will demonstrate that no matter which positive integer b is chosen 
as a base, every positive integer can be expressed uniquely in base b notation. In Section 
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2 . 2 , we will show how these expansions can be used to do arithmetic with integers. 
(See the exercise set at the end of this section to leam about one’s and two’s complement 
notations, which are used by computers to represent both positive and negative integers.) 

For more information about the fascinating history of positional number systems, the 
reader is referred to [Or 88 ] or [Kn97], where extensive surveys and numerous references 
may be found. 

We now show that every positive integer greater than 1 may be used as a base. 

Theorem 2.1. Let b be a positive integer with b > 1. Then every positive integer n can 
be written uniquely in the form 

n = a k b k + a k _ x b k ~ l H b a x b + a 0 , 

where k is a nonnegative integer, aj is an integer with 0 < aj < b — 1 for j = 0 , 1 , ,k, 

and the initial coefficient a k 0 . 

Proof. We obtain an expression of the desired type by successively applying the division 
algorithm in the following way. We first divide n by b to obtain 

n — bq 0 + a 0 , 0 < a 0 < b — 1 . 

If q Q 7 ^ 0, we continue by dividing q 0 by b to find that 

Qo ~ bq\ + a x , 0 < a x < b — 1 . 

We continue this process to obtain 

< 7 i = bq 2 +a 2 , 0 < a 2 < b — 1 , 
q 2 — bq 3 + a 3 , 0 < a 3 < b — 1 , 

Qk—2 = bq k — \ "b a k—b 

q k -i = b O + a k , 0 < a k < b - 1 . 

The last step of the process occurs when a quotient of 0 is obtained. To see that we must 
reach such a step, first note that the sequence of quotients satisfies 

n > % > <h > <12 > • ’ ’ ^ 0 * 

Because the sequence q Q , q h q 2 , . . . is a decreasing sequence of nonnegative integers 
that continues as long as its terms are positive, there are at most q Q terms in this sequence, 
and the last term equals 0 . 

From the first equation above, we find that 

n=bq 0 + a 0 . 

We next replace q Q using the second equation, to obtain 

n = b(bq\ + a x ) + aq = "b a ib "b a o- 
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Successively substituting for q h q 2 , ... , qk-i> we have 
n = b^q 2 + a 2 b 2 + d\b + 

= l( lk-2 + a k-ib k 2 H 1- a^b + a 0 , 

= b k q k _x + a k _ib k 1 H 1- cqft + a 0 

= o-kb k + a k _ib k * + • • • + + ciq, 

where 0 < dj < b — 1 for j = 0, 1, . . . , k and a k ^ 0, given that a k = q k _i is the last 
nonzero quotient. Consequently, we have found an expansion of the desired type. 

To see that the expansion is unique, assume that we have two such expansions equal 
to n, that is, 

n = a k b k + a k _ib k 1 + • • • + a^b + a 0 
= c k b k + c k _\b k 1 + • • • + C\b + cq, 

where 0 <a k < b and 0 <c k <b (and where, if necessary, we have added initial terms 
with zero coefficients to one of the expansions to have the number of terms agree). 
Subtracting one expansion from the other, we have 

( a k ~ c k)b k + (flfc-i — c k _{)b k 1 + • • • + (fli — Ci)b + ( a 0 — Cg) = 0. 

If the two expansions are different, there is a smallest integer j, 0 < j <k, such that 
cij ^ Cj. Hence, 

b J ((«* - c k )b k ~ ] + • • • + (a j+ 1 - c j+l )b + ( aj - Cj )) = 0, 

so that 

(a k - c k )b k ~ J + • • • + 0 a j+i - c j+l )b + ( dj - Cj ) = 0 . 

Solving for aj — Cj, we obtain 

dj - Cj = ( c k - a k )b k ~ J + • • • + (c j+ 1 - a j+ i)b 

= b((c k - a k )b k ~ J ~ l H + (Cj+i ~ a j+ 1 )). 

Hence, we see that 

b | ( aj - cj). 

But because 0 <a.j <b and 0 <Cj < b, we know that —b < aj — Cj < b. Consequently, 
b | (aj — Cj) implies that dj = Cj. This contradicts the assumption that the two expan- 
sions are different. We conclude that our base b expansion of n is unique. ■ 

For b = 2, we see by Theorem 2.1 that the following corollary holds. 


Corollary 2.1.1. Every positive integer may be represented as the sum of distinct 
powers of 2. ■ 
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Proof. Let n be a positive integer. From Theorem 2.1 with b = 2, we know that 
n = a k 2* + a k _{2 k 1 + • • • + a{2 + a 0 , where each aj is either 0 or 1. Hence, every 
positive integer is the sum of distinct powers of 2. ■ 

In the expansions described in Theorem 2.1, b is called the base or radix of the 
expansion. We call base 10 notation, our conventional way of writing integers, decimal 
notation. Base 2 expansions are called binary expansions, base 8 expansions are called 
octal expansions, and base 16 expansions are called hexadecimal, or hex for short. The 
coefficients aj are called the digits of the expansion. Binary digits are called bits (binary 
dig its) in computer terminology. 

To distinguish representations of integers with different bases, we use a special 
notation. We write (a k a k _ x . . . a x a 0 ) b to represent the number a k b k + a k _ x b k ~ x -\ — • + 
a x b + aft. 


Example 2.1. To illustrate base b notation, note that (236) 7 = 2-7 2 + 3- 7 + 6=125 
and (10010011)2 = 1 • 2 7 + 1 • 2 4 + 1 • 2 1 + 1 = 147. ◄ 

The proof of Theorem 2.1 provides a method of finding the base b expansion 
(a k a k _ i . . . a x a 0 )b of any positive integer n. Specifically, to find the base b expansion 
of n, we first divide n by b. The remainder is the digit a 0 . Then, we divide the quotient 
[n/b] = q 0 by b. The remainder is the digit a x . We continue this process, successively 
dividing the quotient obtained by b, to obtain the digits in the base b expansion of n. 
The process stops once a quotient of 0 is obtained. In other words, to find the base b 
expansion of n, we perform the division algorithm repeatedly, replacing the dividend 
each time with the quotient, and stop when we come to a quotient that is 0. We then read 
up the list of remainders to find the base b expansion. We illustrate this procedure in 
Example 2.2. 

Example 2.2. To find the base 2 expansion of 1864, we use the division algorithm 
successively: 

1864 = 2-932 + 0, 

932 = 2 - 466 + 0, 

466 = 2 • 233 + 0, 

233 = 2-116+ 1, 

116 = 2-58 + 0, 

58 = 2 • 29 + 0, 

29 = 2 • 14 + 1, 

14 = 2 • 7 + 0, 

7 = 2 ■ 3 + 1, 

3 = 2 - 1 + 1, 

1 = 2 • 0 + 1 . 

To obtain the base 2 expansion of 1 864, we simply take the remainders of these divisions. 
This shows that (1864) 10 = (11 101001000) 2 . ◄ 
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Computers represent numbers internally by using a series of “switches” that may be 
either “on” or “off.” (This may be done electrically or mechanically, or by other means.) 
Hence, we have two possible states for each switch. We can use “on” to represent the 
digit 1 and “off’ to represent the digit 0; this is why computers use binary expansions to 
represent integers internally. 

Computers use base 8 or base 16 for display purposes. In base 16 (hexadecimal) no- 
tation there are 16 digits, usually denoted by 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. 
The letters A, B, C, D, E, and F are used to represent the digits that correspond to 1 0, 1 1 , 
12, 13, 14, and 15 (written in decimal notation). The following example demonstrates 
the conversion from hexadecimal to decimal notation. 

Example 2.3. To convert (A35B0F) 16 from hexadecimal to decimal notation, we write 

(A35B0F) 16 = 10 • 16 5 + 3 • 16 4 + 5 • 16 3 + 11 • 16 2 + 0 • 16 + 15 

= (10705679) 10 . 4 

A simple conversion is possible between binary and hexadecimal notation. We can 
write each hex digit as a block of four binary digits according to the correspondences 
given in Table 2.1. 

Example 2.4. An example of conversion from hex to binary is (2FB3) 16 = 
(10111110110011)2- Each hex digit is converted to a block of four binary digits (the 
initial zeros in the initial block (0010) 2 corresponding to the digit (2) 16 are omitted). 

To convert from binary to hex, consider (11110111101001)2- We break this into 
blocks of four, starting from the right. The blocks are, from right to left, 1001, 1110, 
1101, and 0011 (with two initial zeros added). Translating each block to hex, we obtain 
(3DE9) 16 . ◄ 


Hex 

Digit 

Binary 

Digits 

Hex 

Digit 

Binary 

Digits 

0 

0000 

8 

1000 

1 

0001 

9 

1001 

2 

0010 

A 

1010 

3 

0011 

B 

1011 

4 

0100 

C 

1100 

5 

0101 

D 

1101 

6 

0110 

E 

1110 

7 

0111 

F 

mi 


Table 2.1 Conversion from hex digits to blocks of binary digits. 
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We note that a conversion between two different bases is as easy as binary-hex 
conversion whenever one of the bases is a power of the other. 

2.1 Exercises 

1. Convert (1999) 10 from decimal to base 7 notation. Convert (6105) 7 from base 7 to decimal 
notation. 

2. Convert (89156) 10 from decimal to base 8 notation. Convert (7061 13) 8 from base 8 to decimal 
notation. 

3. Convert (10101 1 1 1) 2 from binary to decimal notation and (999) 10 from decimal to binary 
notation. 

4. Convert (101001000) 2 from binary to decimal notation and (1984) 10 from decimal to binary 
notation. 

5. Convert (100011 1 10101) 2 and (11101001 1 10) 2 from binary to hexadecimal. 

6. Convert (ABCDEF) 16 , (DEFACED) 16 , and (9A0B) 16 from hexadecimal to binary. 

7. Explain why we really are using base 1000 notation when we break large decimal integers 
into blocks of three digits, separated by commas. 

8. Show that if b is a negative integer less than - 1, then every nonzero integer n can be uniquely 
written in the form 


n = a k b k + a k _ k b k 1 + ■ ■ ■ + a\b + Oq, 

where a k ^ 0 and 0 < dj < \ b | for j = 0, We write n = (a k a k _ \ . . . a\a Q ) b , just 

as we do for positive bases. 

9. Find the decimal representation of (101001)_ 2 and (12012)_ 3 . 

10. Find the base —2 representations of the decimal numbers —7, —17, and 61. 

11. Show that any weight not exceeding 2* — 1 may be measured using weights of 1, 2, 2 2 , . . . , 
2* _1 , when all the weights are placed in one pan. 

12. Show that every nonzero integer can be uniquely represented in the form 

e k + e k- 1 3 * -1 \-ei3 + e 0 , 

where ej = -1, 0, or 1 for j = 0, 1,2, ... ,k and e k 0. This expansion is called a bal- 
anced ternary expansion. 

13. Use Exercise 12 to show that any weight not exceeding (3* — l)/2 may be measured using 
weights of 1, 3, 3 2 , . . . , 3* _1 , when the weights may be placed in either pan. 

14. Explain how to convert from base 3 to base 9 notation, and from base 9 to base 3 notation. 

15. Explain how to convert from base r to base r n notation, and from base r n to base r notation, 
when r > 1 and n are positive integers. 

16. Show that if n = (a k a k _\ . . . aia 0 ) b , then the quotient and remainder when n is divided by & 
are q = (a k a k _ l . . . aj) b and r = (aj_ l . . . a x a Q ) b , respectively. 

17. If the base b expansion of n is n = (a k a k _ x . . . what is the base b expansion of b m nl 
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One’s complement representations of integers are used to simplify computer arithmetic. To 
represent positive and negative integers with absolute value less than 2", a total of n + 1 bits 
is used. 

The leftmost bit is used to represent the sign. A 0 in this position is used for positive integers, 
and a 1 in this position is used for negative integers. 

For positive integers, the remaining bits are identical to the binary expansion of the integer. 
For negative integers, the remaining bits are obtained by first finding the binary expansion of the 
absolute value of the integer, and then taking the complement of each of these bits, where the 
complement of a 1 is a 0 and the complement of a 0 is a 1. 

18. Find the one’s complement representations, using bit strings of length six, of the following 
integers. 

a) 22 b) 31 c) —7 d) -19 

19. What integer does each of the following one’s complement representations of length five 
represent? 

a) 11001 b) 01101 c) 10001 d) 11111 

20. How is the one’s complement representation of -m obtained from the one’s complement of 
m, when bit strings of length n are used? 

21. Show that if m is an integer with one’s complement representation a„_ 1 a n _ 2 . . . o^Oq, then 
m = — a„_ 1 (2" _1 - 1) + Ef=o a / 2 '- 

Two’s complement representations of integers also are used to simplify computer arithmetic (in 
fact, they are used much more commonly than one’s complement representations). To represent 
an integer x with — 2" _1 < x < 2 n_1 — 1, n bits are used. 

The leftmost bit represents the sign, with a 0 used for positive integers and a 1 for negative 
integers. 

For a positive integer, the remaining n — 1 bits are identical to the binary expansion of the 
integer. For a negative integer, the remaining bits are the bits of the binary expansion of 2" _1 — | x \ . 

22. Find the two’s complement representations, using bit strings of length six, of the integers in 
Exercise 18. 

23. What integers do the representations in Exercise 19 represent if each is the two’s complement 
representation of an integer? 

24. Show that if m is an integer with two’s complement representation a n _ l a n _ 2 . . . a x a 0 , then 

m = ~ a n-\ • 2" -1 + xy=o ai2i - 

25. How is the two’s complement representation of —m obtained from the two’s complement 
representation of m, when bit strings of length n are used? 

26. How can the two’s complement representation of an integer be found from its one’s comple- 
ment representation? 

27. Sometimes integers are encoded by using four-digit binary expansions to represent each 
decimal digit This produces the binary coded decimal form of the integer. For instance, 
791 is encoded in this way by 011110010001. How many bits are required to represent a 
number with n decimal digits using this type of encoding? 
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A Cantor expansion of a positive integer n is a sum 

n = a m m\ + a m _i(m — 1)H — • + a 2 2l + c^l!, 
where each is an integer with 0 < a ; < j and a m / 0. 

28. Find Cantor expansions of 14, 56, and 384. 

29. Show that every positive integer has a unique Cantor expansion. (Hint: For each positive 
integer n there is a positive integer m such that m ! < n < (m + 1) !. For a m , take the quotient 
from the division algorithm when n is divided by m !, then iterate.) 

The Chinese game of nim is played as follows. There are several piles of matches, each containing 
an arbitrary number of matches at the start of the game. To make a move, a player removes one 
or more matches from one of the piles. The players take turns, and the player who removes the 
last match wins the game. 

A winning position is an arrangement of matches in piles such that if a player can move to 
this position, then (no matter what the second player does) the first player can continue to play in a 
way that will win the game. An example is the position where there are two piles, each containing 
one match; this is a winning position, because the second player must remove a match, leaving 
the first player the opportunity to win by removing the last match. 

30. Show that the position in nim where there are two piles, each with two matches, is a winning 
position. 

31. For each arrangement of matches into piles, write the number of matches in each pile in 
binary notation, and then line up the digits of these numbers into columns (adding initial 
zeros where necessary). Show that a position is a winning one if and only if the number of 
Is in each column is even. (For example: Three piles of 3, 4, and 7 give 

0 1 1 
1 0 0 
1 1 1 

where each column has exactly two Is.) (Hint: Show that any move from a winning position 
produces a nonwinning one. Show that there is a move from any nonwinning position to a 
winning one.) 

Let a be an integer with a four-digit decimal expansion, where not all digits are the same. Let a' 
be the integer with a decimal expansion obtained by writing the digits of a in descending order, 
and let a " be the integer with a decimal expansion obtained by writing the digits of a in ascending 
order. Define T(a ) = a! - a". For instance, T(7318) = 8731 - 1378 = 7353. 

32. Show that the only integer with a four-digit decimal expansion (where not all digits are the 
same) such that T(a) = a is a = 6174. The integer 6174 is called Kaprekar’s constant, after 
the Indian mathematician D. R. Kaprekar, because it is the only integer with this property. 

33. a) Show that if a is a positive integer with a four-digit decimal expansion where not all 

digits are the same, then the sequence a, T(a ), T(T(a)), T(T(T(a))) obtained by 

iterating T, eventually reaches the integer 6174. 
b) Determine the maximum number of steps required for the sequence defined in part (a) to 
reach 6174. 

Let b be a positive integer and let a be an integer with a four-digit base b expansion, with not all 
digits the same. Define T b (a) = a! — a ", where a! is the integer with base b expansion obtained 


2.1 Representations of Integers 


53 


by writing the base b digits of a in descending order, and a " is the integer with base b expansion 
obtained by writing the base b digits of a in ascending order. 

* * 34. Let b = 5. Find the unique integer a 0 with a four-digit base 5 expansion such that 75(a 0 ) = 
oq. Show that this integer a 0 is a Kaprekar constant for base 5; in other words, that 
a, T(a), T(T(a)), T(T(T(a))), . . . eventually reaches oq, whenever a is an integer with 
a four-digit base 5 expansion where not all digits are the same. 

* 35. Show that no Kaprekar constant exists for four-digit numbers to the base 6. 

* 36. Determine whether there is a Kaprekar constant for three-digit integers to the base 10. Prove 

that your answer is correct. 

37. A sequence a ; -, j = 1, 2, ... is called a Sidon sequence , after the Hungarian mathematician 
Simon Sidon, if all the pairwise sums a,- + a ; - where i < j are different. Use Theorem 2 1 to 
show that the sequence aj, j = 1, 2, ... is a Sidon sequence when a ; - = V. 


Computations and Explorations 

1. Find the binary, octal, and hexadecimal expansions of each of the following integers, 

a) 9876543210 b) 1111111111 c) 10000000001 

2. Find the decimal expansion of each of the following integers. 

a) (1010101010101)2 b) (765432101234567) 8 c) (ABBAFADACABA) 16 

3. Evaluate each of the following sums, expressing your answer in the same base used to 
represent the s umman ds. 

a) (11011011011011011) 2 + (1001001001001001001001) 2 

b) (12345670123456) 8 + (765432107654321) 8 

c) (123456789ABCD) 16 + (BABACACADADA) 16 

4. Find the Cantor expansions of the integers 100,000, 10,000,000, and 1 ,000,000,000. (See the 
preamble to Exercise 28 for the definition of Cantor expansions.) 

5. Verify the result described in Exercise 33 for several different four-digit integers, in which 
not all digits are the same. 

6. Use numerical evidence to make conjectures about the behavior of the sequence a, T(a ), 
T ( T(a )), . . . where a is a five-digit integer in base 10 notation in which not all digits are the 
same, and T(a) is defined as in the preamble to Exercise 32. 



D. R. KAPREKAR (1905-1986) was bom in Dahanu, India, and was interested 
in numbers even as a small child. He received his secondary school education 
in Thana and studied at Ferguson College in Poona. Kaprekar attended the 
University of Bombay, receiving his bachelor’s degree in 1929. From 1930 
until bis retirement in 1962, he worked as a schoolteacher in Devlali, India. 
Kaprekar discovered many interesting properties in recreational number theory. 
He published extensively, writing about such topics as recurring decimals, 
magic squares, and integers with special properties. 
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7. Explore the behavior for different bases b of the sequence a, T(a), T (T (a)), . . . where a 
is a three-digit integer in base b notation. What conjectures can you make? Repeat your 
exploration using four-digit and then five-digit integers in base b notation. 

Programming Projects 

1. Find the binary expansion of an integer from the decimal expansion of this integer, and 
vice versa. 

2. Convert from base b l notation to base b 2 notation, where b x and b 2 are arbitrary positive 
integers greater than 1. 

3. Convert from binary notation to hexadecimal notation, and vice versa. 

4 . Find the base (—2) notation of an integer from its decimal notation (see Exercise 8). 

5. Find the balanced ternary expansion of an integer from its decimal expansion (see Exercise 

12 ). 

6. Find the Cantor expansion of an integer from its decimal expansion (see the preamble to 
Exercise 28). 

7. Play a winning strategy in the game of nim (see the preamble to Exercise 30). 

* 8. Investigate the sequence a, T(a), T(T(a)), T(T(T(a))), . . . (defined in the preamble to 

Exercise 32), where a is a positive integer, to discover the minimum number of iterations 
required to reach 6174. 


2.2 Computer Operations with Integers 

Before computers were invented, mathematicians did computations either by hand or 
by using mechanical devices. Either way, they were only able to work with integers of 
rather limited size. Many number theoretic problems, such as factoring and primality 
testing, require computations with integers of as many as 100 or even 200 digits. In this 
section, we will study some of the basic algorithms for doing computer arithmetic. In 
the following section, we will study the number of basic computer operations required 
to carry out these algorithms. 

We have mentioned that computers internally represent numbers using bits, or binary 
digits. Computers have a built-in limit on the size of integers that can be used in machine 
arithmetic. This upper limit is called the word size, which we denote by w. The word size 
is usually a power of 2, such as 2 32 for Pentium machines or 2 35 , although sometimes 
the word size is a power of 10. 

To do arithmetic with integers larger than the word size, it is necessary to devote 
more than one word to each integer. To store an integer n > w, we express n in base w 
notation, and for each digit of this expansion we use one computer word. For instance, if 
the word size is 2 35 , using ten computer words we can store integers as large as 2 350 — 1, 
because integers less than 2 350 have no more than ten digits in their base 2 35 expansions. 
Also note that to find the base 2 35 expansion of an integer, we need only group together 
blocks of 35 bits. 
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The first step in discussing computer arithmetic with large integers is to describe 
how the basic arithmetic operations are methodically performed. 

We will describe the classical methods for performing the basic arithmetic oper- 
ations with integers in base r notation, where r > 1 is an integer. These methods are 
examples of algorithms. 

Definition. An algorithm is a finite set of precise instructions for performing a com- 
putation or for solving a problem. 

We will describe algorithms for performing addition, subtraction, and multiplication 
of two n-digit integers a = (a n _ 1 a n _ 2 . . . aia 0 ) r and b = (b n _ib n _ 2 . . . bib Q ) r , where 
initial digits of zero are added if necessary to make both expansions the same length. 
The algorithms described are used for both binary arithmetic with integers less than the 
word size of a computer, and multiple precision arithmetic with integers larger than the 
word size w, using w as the base. 

Addition When we add a and b, we obtain the sum 

n— 1 n— 1 n—l 

a + b = ^ ajr j + ^ bjr j = y^(a ; - + bj)r j . 

7=0 7=0 7=0 

To find the base r expansion of a + b, first note that by the division algorithm, there are 
integers C 0 and 5 0 such that 


a 0 + = c o r + s o> 0 < < r - 


Because a 0 and b Q are positive integers not exceeding r, we know that 0 < a 0 + b Q < 
2 r — 2, so that C 0 = 0 or 1; here, C 0 is the carry to the next place. Next, we find that 
there are integers Q and s\ such that 


a i + bi + C 0 = Cpr + s h 0 < sq < r. 


Because 0 < a^ + b± + C 0 < 2r — 1, we know that C\ = 0 or 1. Proceeding inductively, 
we find integers C ( - and s { for 1 < i < n — 1 by 

a i + bi + C{_i = Cpr + s t , 0 < s t < r, 

with Q = 0 or 1 . Finally, we let s n = C n _i, because the sum of two integers with n 
digits has n + 1 digits when there is a carry in the nth place. We conclude that the base 
r expansion for the sum is a + b = 

When performing base r addition by hand, we can use the same familiar technique 
as is used in decimal addition. 


Example 2.5. To add (1 101) 2 and (1001) 2 , we write 
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1 1 
110 1 
+ 10 0 1 
10 110 

where we have indicated carries by 1 s in italics written above the appropriate column. 
We found the binary digits of the sum by noting that l+l=l-2 + 0, 0 + 0+1 = 
0-2+1, l + 0+0 = 0-2+l, and 1+ 1 + 0= 1-2 + 0. ◄ 

Subtraction Assume that a > b. Consider 

n - 1 n-1 n - 1 

a - b = XI a i rl ~ 5Z v y = - b ^ rj - 

j= 0 j = 0 7=0 

Note that by the division algorithm, there are integers B 0 and d Q such that 
°0 — bo = Bqt + dQ, 0 < dQ < r, 
and because a 0 and b 0 are positive integers less than r, we have 
-O - 1) < a 0 - b 0 < r - 1. 

When ciQ — bQ> 0, we have B 0 = 0. Otherwise, when oq — b 0 < 0, we have B 0 = — 1; 
B 0 is the borrow from the next place of the base r expansion of a. We use the division 
algorithm again to find integers B x and d\ such that 

o.\ — b\ + Bq = B\r + di, 0 < d\ < r. 

From this equation, we see that the borrow flj = 0 as long as a l — bi + B 0 > 0, and that 
Bi = -1 otherwise, because —r<a l — bi+B Q <r — 1. We proceed inductively to find 
integers B, and d h such that 

df - b( + B { _i = B t r +d it 0 < d t < r 

with Bi = 0 or — 1, for 1 < i < n — 1. We see that B n _i = 0, because a > b. We can 
conclude that 


a — b = (d n _id n _ 2 . . . di<* 0 )r- 


Where the Word Algorithm " Comes From 

“Algorithm” is a corruption of the original term “algorism,” which originally comes from 
the name of the author of the ninth-century book Kitab al-jabr w’al-muqabala ( Rules 
of Restoration and Reduction), Abu Ja'far Mohammed ibn Musa al-Khwarizmi (see his 
biography included on the next page). The word “algorism” originally referred only to the 
rules of performing arithmetic using Hindu-Arabic numerals, but evolved into “algorithm” 
by the eighteenth century. With growing interest in computing machines, the concept of an 
algorithm became more general, to include all definite procedures for solving problems, not 
just the procedures for performing arithmetic with integers expressed in Arabic notation. 
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When performing base r subtraction by hand, we use the familiar technique used in 
decimal subtraction. 

Example 2.6. Ib subtract (101 10) 2 from (1 101 1) 2 , we have 

-l 

110 11 
-10110 


where the - 1 in italics above a column indicates a borrow. We found the binary digits 
of the difference by noting that 1 — 0 = 0- 2+ 1, 1— l + 0 = 0- 2 + 0, 0— 1 + 0 = 
-1-2+1, 1-0 - 1=0-2 + 0, and 1- 1 + 0=0- 2 + 0. ◄ 

Multiplication Before discussing multiplication, we describe shifting. Ib multiply 
(a n _i . . . aiao) r by r ro , we need only shift the expansion left m places, appending the 
expansion with m zero digits. 

Example 2.7. Ib multiply (101101) 2 by 2 s , we shift the digits to the left five places 
and append the expansion with five zeros, obtaining (10110100000) 2 . ◄ 

We first discuss the multiplication of an n-place integer by a one-digit integer. To 
multiply (a^ . . . a 1 a 0 ) r by (b) r , we first note that 

aob = qor + po, 0 <po< r, 

and 0 < q 0 < r — 2, because 0 < a^p <(r — l) 2 . Next, we have 
ap +q Q = q\r + p h 0 <P\< r , 

and 0 < q\ < r — 1. In general, we have 

ap + <7/-i = ®r + p h 0 < Pi < r, 


ABU JA‘FAR MOHAMMED IBN MUSA AL-KHWArIZMI (c. 780- 
c. 850), an astronomer and mathematician, was a member of the House of 
Wisdom, an academy of scientists in Baghdad. The name al-KhwSrizm! means 
“from the town of Kowarzizm,” now known as Khiva in modem Uzbekistan. 
Al-Khwarizmt was the author of books on mathematics, astronomy, and geog- 
raphy. People in the West first learned about algebra from his works; the word 
“algebra” comes from al-jabr, part of the title of bis book Kitab al-jabr w’al 
muqabala, which was translated into Latin and widely used as a text. Another 
book describes procedures for arithmetic operations using Hindu- Arabic n umer als. 
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and 0 < q t < r — 1. Furthermore, we have p n = q n _\. This yields (a„_i . . . aia Q ) r (b) r = 
(PnPn—l • • • PlPo)r- 

To perform a multiplication of two n -place integers, we write 

ab=a(j2 b J ri ) = Y,( ab j) rj - 

7=0 7 j= o 

For each j, we first multiply a by the digit bj, then shift j places to the left, and finally 
add all of the n integers we have obtained to find the product. 

When multiplying two integers with base r expansions, we use the familiar method 
of multiplying decimal integers by hand. 

Example 2.8. To multiply (1 101) 2 and (11 10) 2 , we write 

110 1 
x 1 1 1 0 
0 0 0 0 
110 1 
110 1 
110 1 

10 110 110 

Note that we first multiplied (1 101) 2 by each digit of (1 1 10) 2 , shifting each time by the 
appropriate number of places, and then we added the appropriate integers to find our 
product. ◄ 

Division We wish to find the quotient q in the division algorithm 
a = bq + R, 0 < R < b. 

If the base r expansion of q is q = {q n -\q n -2 • • • then we have 

a = b(j2q l A + R, 0<R<b. 

7=0 7 

To determine the first digit q n _i of q, notice that 

a ~ bq n _ x r n = b(j^ qjrA + R. 

7=0 7 

The right-hand side of this equation is not only positive, but also less than br n ~ l , because 
£"=0 <lj ri < £"= l(r - 1 )ri = £”"}#•' - = r n ~ l ~ 1- Therefore, we know 

that 


0 < a — bq n _\r n 1 < br n l . 
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This tells us that 



We can obtain q n _i by successively subtracting br n 1 from a until we obtain a negative 
result; q n _i is then one less than the number of subtractions. 

To find the other digits of q, we define the sequence of partial remainders R t by 


R 0 = a 


and 


Ri = R i - 1 — bq n -ir n 1 

for i = 1, 2, . . . , n. By mathematical induction, we show that 


( 2 . 1 ) 


*<=(E 9jr J )b + R. 
v j = 0 7 

jet, because R 0 = a = qb + 1 

R k = ( E 4j rJ ^) b + R - 


For i = 0, this is clearly correct, because R 0 = a = qb + R. Now assume that 

/fi-k-l 


R k + 1 = R k ~ bq n -k-i rn k 1 

/n—k—l 


= ( E vAb 

x 7=0 7 

,n-(k+ 1)-1 v 

= ( E w* ) b + R 


+ R- bq n _ k _ l r n 


7=0 

establishing (2.1). 

By (2.1), we see that 0 < R t < r n ~ l b, for i = 1, 2, . . . , n, because qjr j < 

r n _i — 1. Consequently, because R t = R t _i — bq n _ir n ~ l andO < R t < r n ~ l b, we see that 
the digit q n _ t is given by [Ri-\/{br n ~ 1 )] and can be obtained by successively subtracting 
br n ~ l from R t _i until a negative result is obtained, and then q n _ t is one less than the 
number of subtractions. This is how we find the digits of q. 


Example 2.9. To divide (11 101) 2 by (111)2, we l et <7 = (<72<7 i<7o) 2- We subtract 
2 2 (1 1 1) 2 = (11100) 2 once from (11 101) 2 to obtain (1) 2 , and once more to obtain a 
negative result, so that q 2 = 1. Now, = (11 101) 2 - (11100) 2 = (1) 2 . We find that 
q\ = 0, because R\ — 2(11 1) 2 is less than zero, and likewise q 0 = 0. Hence, the quotient 
of the division is (100) 2 and the remainder is (1) 2 . ◄ 
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2.2 Exercises 

1. Add (10111101 1) 2 and (1 1001 1 101 1) 2 . 

2. Add (100010001 1 1 101) 2 and (1 1 1 1 1 10101 1 1 1 1) 2 . 

3. Subtract (1 10101 1 1) 2 from (1 1 1 100001 1) 2 . 

4. Subtract (101110101) 2 from (1101 101 100) 2 . 

5. Multiply (11 101) 2 and (110001) 2 . 

6. Multiply (1110111) 2 and (1001 101 1) 2 . 

7. Find the quotient and remainder when (1 1001 111 1) 2 is divided by (1 101) 2 . 

8. Find the quotient and remainder when (1 101001 1 1) 2 is divided by (1 1 101) 2 . 

9. Add (1234321)5 and (2030104) 5 . 

10. Subtract (434421) 5 from (4434201) 5 . 

11. Multiply (1234) 5 and (3002) 5 . 

12. Find the quotient and remainder when (14321) 5 is divided by (334) 5 . 

13. Add (ABAB) 16 and (BABA) 16 . 

14. Subtract (CAFE) 16 from (FEED) 16 . 

15. Multiply (FACE) 16 and (BAD) 16 . 

16. Find the quotient and remainder when (BEADED) 16 is divided by (ABBA) 16 . 

17. Explain how to add, subtract, and multiply the integers 18235187 and 22135674 on a 
computer with word size 1000. 

18. Write algorithms for the basic operations with integers in base (-2) notation (see Exercise 
8 of Section 2.1). 

19. How is the one’s complement representation of the sum of two integers obtained from the 
one’s complement representations of those integers? 

20. How is the one’s complement representation of the difference of two integers obtained from 
the one’s complement representations of those integers? 

21. Give an algorithm for adding and an algorithm for subtracting Cantor expansions (see the 
preamble to Exercise 28 of Section 2.1). 

22. A dozen equals 12, and a grow equals 12 2 . Using base 12, or duodecimal arithmetic, answer 
the following questions. 

a) If 3 gross, 7 dozen, and 4 eggs are removed from a total of 1 1 gross and 3 dozen eggs, how 
many eggs are left? 

b) If 5 truckloads of 2 gross, 3 dozen, and 7 eggs each are delivered to the supermarket, how 
many eggs are delivered? 

c) If 11 gross, 10 dozen, and 6 eggs are divided in 3 groups of equal size, how many eggs 
are in each group? 

23. A well-known rule used to find the square of an integer with decimal expansion (a n a n _ l . . . 
a i a o) to an d final digit a 0 = 5 is to find the decimal expansion of the product (a n a n _ 1 . . . a{) 10 
[(a n a n _ i . . . < 2 1 ) i o + 1], and append this with the digits (25) 10 . For instance, we see that the 
decimal expansion of (165) 2 begins with 16 • 17 = 272, so that (165) 2 = 27,225. Show that 
this rule is valid. 
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24. In this exercise, we generalize the rule given in Exercise 23 to find the squares of integers 
with final base 2B digit B, where B is a positive integer. Show that the base 2B expansion of 
the integer (a n a n _ l . . . starts with the digits of the base 2B expansion of the integer 

. . . a\) 2 B \i a n a n- 1 • • • a \)iB + 1] and ends with the digits S/2 and 0 when B is even, 
and the digits (S — l)/2 and S when B is odd. 

Computations and Explorations 

1. Verify the rules given in Exercises 23 and 24 for examples of your choice. 

Programming Projects 

1. Perform addition with arbitrarily large integers. 

2. Perform subtraction with arbitrarily large integers. 

3. Multiply two arbitrarily large integers using the conventional algorithm. 

4. Divide arbitrarily large integers, finding the quotient and remainder. 


2.3 Complexity of Integer Operations 

Once an algorithm has been specified for an operation, we can consider the amount of 
time required to perform this algorithm on a computer. We will measure the amount of 
time in terms of bit operations. By a bit operation we mean the addition, subtraction, or 
multiplication of two binary digits, the division of a two-bit by a one-bit integer (obtain- 
ing a quotient and a remainder), or the shifting of a binary integer one place. (The actual 
amount of time required to carry out a bit operation on a computer varies depending on 
the computer architecture and capacity.) When we describe the number of bit operations 
needed to perform an algorithm, we are describing the computational complexity of this 
algorithm. 

In describing the number of bit operations needed to perform calculations, we will 
use big-0 notation. Big-0 notation provides an upper bound on the size of a function in 
terms of a particular well-known reference function whose size at large values is easily 
understood. 

To motivate the definition of this notation, consider the following situation. Suppose 
that to perform a specified operation on an integer n requires at most n 3 + 8n 2 log n 
bit operations. Because 8n 2 log n < 8 n 3 for every positive integer, less than 9n 3 bit 
operations are required for this operation for every integer n. Because the number of 
bit operations required is always less than a constant times n 3 , namely, 9n 3 , we say that 
0(n 3 ) bit operations are needed. In general, we have the following definition. 

Definition. If / and g are functions taking positive values, defined for all x e S, where 
S is a specified set of real numbers, then f is O (g) on S if there is a positive constant K 
such that f{x) < Kgix ) for all sufficiently large x e S. (Normally, we take S to be the 
set of positive integers, and we drop all reference to 5.) 
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Big-0 notation is used extensively throughout number theory and in the analysis 
of algorithms. Paul Bachmann introduced big-0 notation in 1892 ([Ba94]). The big-0 
notation is sometimes called a Landau symbol, after Edmund Landau, who used this 
notation throughout his work in the estimation of various functions in number theory. 
The use of big-0 notation in the analysis of algorithms was popularized by renowned 
computer scientist Donald Knuth. 

We illustrate this concept of big-0 notation with several examples. 

Example 2.10. We can show on the set of positive integers that n 4 + 2 n 3 + 5 is 0 (n 4 ). 
To do this, note that n 4 + 2 n 3 + 5 < n 4 + 2 n 4 + 5 n 4 = 8/z 4 for all positive integers. (We 
take K = 8 in the definition.) The reader should also note that n 4 is 0(n 4 + 2n 3 + 5). 

◄ 

Example 2.11. We can easily give a big-0 es timate for £" =1 j- Noting that each 
summand is less than n tells us that X )” =1 j < £" =1 n = nn=n 2 . Note that we could 
also derive this estimate easily from the formula £" =1 j = n (n + l)/2. ◄ 

We now will give some useful results for working with big-0 estimates for combi- 
nations of functions. 

Theorem 2.2. If / is 0(g) and c is a positive constant, then cf is 0(g). 


PAUL GUSTAV HEINRICH BACHMANN (1837-1920), the son of a pas- 
tor, shared his father’s pious lifestyle, as well as his love of music. His talent for 
mathematics was discovered by one of his early teachers. After recovering from 
tuberculosis, he studied at the University of Berlin and later in Gottingen, where 
he attended lectures presented by Dirichlet. In 1862, he received his doctorate 
under the supervision of the number theori st Kummer. Bachmann became a pro- 
fessor at Breslau and later at Miinster. After retiring, he continued mathematical 
research, played the piano, and served as a music critic for newspapers. His 
writings include a five-volume survey of number theory, a two- volume work on elementary number 
theory, a book on irrational numbers, and a book on Fermat’s last theorem (this theorem is discussed 
in Chapter 13). Bachmann introduced big-0 notation in 1892. 



P EDMUND LANDAU (1877-1938) was the son of a Berlin gynecologist, and 
attended high school in Berlin. He received his doctorate in 1899 under the 
direction of Frobenius. Landau first taught at the University of Berlin and then 
moved to Gottingen, where he was full professor until the Nazis forced him 
to stop teaching. His main contributions to mathematics were in the field of 
analytic number theory; he established several important results concerning the 
distribution of primes. He authored a three-volume work on n umb er theory and 
many other books on mathematical analysis and analytic number theory. 
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Proof. If / is 0(g), then there is a constant K with f(x) < Kg(x) for all x under 
consideration. Hence cf(x ) < (cK)g(x), so cf is 0(g). ■ 


Theorem 2.3. If /i is O (gj and f 2 is O (g 2 ), then /i + f 2 is O (g\ + g 2 ), and f x f 2 is 

0(g\g 2 ). 

Proof. If / is 0(£i) and f 2 is 0(g 2 ), then there are constants K l and K 2 such that 
fi(x) < K$i(x) and f 2 ( x ) < K 2 g 2 (x) for all x under consideration. Hence, 

fl( x ) + fl( x ) < K\g\( x ) + K 2 g 2 ( x ) 

< K(gi(x) + g 2 (x)), 

where K is the maximum of K x and K 2 . Hence, /j + f 2 is 0(g x + g 2 ). 


Also, 


so fj 2 is 0(g l g 2 ). 


fl( x )fi( x ) < K\g\( x )K 2 g 2 ( x ) 

= W 2 )(gl( x )g 2 (x)), 


Corollary 2.3.1. If f Y and f 2 are 0(g), then f x + f 2 is 0(g). 

Proof. Theorem 2.3 tells us that f x + f 2 is 0(2g). But if /j + f 2 < K(2g), then 
fi+ fi< (2K)g, so fi + f 2 is 0(g). u 



DONALD KNUTH (b. 1938) grew up in Milwaukee, where his father owned 
a small printing business and taught bookkeeping. He was an excellent student 
who also applied his intelligence in unconventional ways, such as finding more 
than 4500 words that could be spelled from the letters in “Ziegler’s Giant Bar,” 
winning a television set for his school and candy bars for everyone in his class. 

Knuth graduated from Case Institute of Technology in 1960 with B.S. and 
M.S. degrees in mathematics, by special award of the faculty who considered 
his work outstanding. At Case, he managed the basketball team and applied his 
mathematical talents by evaluating each player using a formula he developed (receiving coverage on 
CBS television and in Newsweek). Knuth received his doctorate in 1963 from the California Institute 
of Technology. 

Knuth taught at the California Institute of Technology and Stanford University, retiring in 1992 
to concentrate on writing. He is especially interested in updating and adding to his famous series, 
The Art of Computer Pmgramming. This series has had a profound influence on the development of 
computer science. Knuth is the founder of the modem study of computational complexity and has 
made fundamental contributions to the theory of compilers. Knuth has also invented the widely used 
TeX and Metafont systems used for mathematical (and general) typography. TteX played an important 
role in the development of HTML and the Internet. He popularized the big- O notation in his work on 
the analysis of algorithms. 

Knuth has written for a wide range of professional journals in computer science and mathematics . 
However, his first publication, in 1957, when he was a college freshman, was the “The Potrzebie 
System of Weights and Measures,” a parody of the metric system, which appeared in MAD Magazine. 
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The goal in using big-0 estimates is to give the best big-0 estimate possible while 
using the simplest reference function possible. Well-known reference functions used in 
big-0 estimates include 1, log n, n, n log n, n log n log log n, n 2 , and 2", as well as some 
other important functions. Calculus can be used to show that each function in this list is 
smaller than the next function in the list, in the sense that the ratio of the function and the 
next function tends to 0 as n grows without bound. Note that more complicated functions 
than these occur in big-0 estimates, as you will see in later chapters. 

We illustrate how to use theorems for working with big-0 estimates with the fol- 
lowing example. 

Example 2.12. To give a big-0 estimate for (n + 8 log n ) (lOn log n + 17 n 2 ), first 
note that n + 8 log n is 0(n) and lOn log n + 17n 2 is 0(n 2 ) (because log n is O(n) and 
n log n is 0(n 2 )) by Theorems 2.2 and 2.3 and Corollary 2.3.1. By Theorem 2.3, we see 
that (n + 8 log n)(10n log n + 17n 2 ) is 0(n 3 ). ◄ 

Using big-0 notation, we can see that to add or subtract two n-bit integers takes 
O ( n ) bit operations, whereas to multiply two n-bit integers in the conventional way 
takes 0(n 2 ) bit operations (see Exercises 12 and 13 at the end of this section). Sur- 
prisingly, there are faster algorithms for multiplying large integers. To develop one 
such algorithm, we first consider the multiplication of two 2n-bit integers, say, a = 
(«2n-i«2n-2 • • • «i«o>2 and b = (b 2n -ib 2n -2 ■ • • ^ 1 ^ 0 ) 2 - We write 
a = 2"A 1 + A 0 b = 2 n B l + B 0 , 

where 

Ai = (fl2n-l fl 2n-2 • • • a n+\ a n)l A 0 = ( fl n-l fl n-2 • • • fl l fl o)2 
B\ = (b 2n -\b 2 n-2 • • • b n+ ib n ) 2 B 0 = ( b n-l b n-2 • • • ^1^0>2- 

We will use the identity 

(2.2) ab = (2 2n + 2")A 1 fl 1 + 2 "(Aj - A 0 )(B 0 - B x ) + (2 n + l)A 0 fi 0 . 

To find the product of a and b using (2.2) requires that we perform three multiplications 
of n-bit integers (namely, A X B X , (Aj — A 0 )(Z? 0 — B x ), and A 0 Z? 0 ), as well as a number 
of additions and shifts. This is illustrated by the following example. 

Example 2.13. We can use (2.2) to multiply (1 101) 2 and (101 1) 2 . We have (1 101) 2 = 
2 2 (11) 2 + (01) 2 and (10 11) 2 = 2 2 (10) 2 + (11) 2 . Using (2.2), we find that 

(1101) 2 (1011) 2 = (2 4 + 2 2 ) (1 1) 2 ( 10) 2 + 2 2 ((1 1) 2 - (01) 2 ) • ((11) 2 - (10) 2 )+ 

(2 2 + 1)(01) 2 (11) 2 

= (2 4 + 2 2 )(110) 2 + 2 2 (10) 2 (01) 2 + (2 2 + 1)(11) 2 

= (1100000) 2 + (11000) 2 + (1000) 2 + (1100) 2 + (11) 2 

= ( 10001 111) 2 . < 

We will now estimate the number of bit operations required to multiply two n-bit integers 
by using (2.2) repeatedly. If we let M(n) denote the number of bit operations needed to 
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multiply two «-bit integers, we find from (2.2) that 

(2.3) M(2n) < 3 M(n) + Cn, 

where C is a constant, because each of the three multiplications of «-bit integers takes 
M(n ) bit operations, whereas the number of additions and shifts needed to compute ab 
via (2.2) does not depend on n, and each of these operations takes 0(n ) bit operations. 

From (2.3), using mathematical induction, we can show that 

(2.4) M(2 k ) < c(3* - 2 k ), 

where c is the maximum of the quantities M (2) and C (the constant in (2.3)). To carry out 
the induction argument, we first note that with k = 1, we have M (2) < c(3* — 2 1 ) = c, 
because c is the maximum of M (2) and C. 

As the induction hypothesis, we assume that 

M(2 k ) < c(3 k - 2 k ). 

Then, using (2.3), we have 

M(2 k+1 ) < 3M(2 k ) + C2 k 

< 3c(3 k - 2 k ) + C2 k 

< c3 k+1 -c-3-2 k + c2 k 

< c(3* +1 - 2* +1 ). 

This establishes that (2.4) is valid for all positive integers k. 

Using inequality (2.4), we can prove the following theorem. 

Theorem 2.4. Multiplication of two «-bit integers can be performed using O (n log2 3 ) 
bit operations. (Note: log 2 3 is approximately 1.585, which is considerably less than the 
exponent 2 that occurs in the estimate of the number of bit operations needed for the 
conventional multiplication algorithm.) 

Proof. From (2.4), we have 

M(n ) = M( 2 log2rt ) < Af (2 [log2 " ]+1 ) 

< c (3 [log2 " ]+1 - 2 [log2 " ]+1 ) 

< 3c • 3 [log2 " ] < 3c • 3 log2 " = 3cn log2 3 (because 3 log2 ” = n log23 ). 

Hence, M(n) is 0(n log2 3 ). ■ 

We now state, without proof, two pertinent theorems. Proofs may be found in [Kn97] 
or [Kr79]. 

Theorem 2.5. Given a positive number e > 0, there is an algorithm for multiplication 
of two n-bit integers using 0(n l+€ ) bit operations. 



Integer Representations and Operations 


Note that Theorem 2.4 is a special case of Theorem 2.5 with € = log 2 3—1, which 
is approximately 0.585. 

Theorem 2.6. There is an algorithm to multiply two n-bit integers using 0(n log 2 n 
log 2 log 2 n) bit operations. 

Because log 2 n and log 2 log 2 n are much smaller than n € for large numbers n, 
Theorem 2.6 is an improvement over Theorem 2.5. Although we know that M(ri) is 
O (n log 2 n log 2 log 2 n), for simplicity we will use the obvious fact that M(ri) is O (n 2 ) 
in our subsequent discussions. 

The conventional algorithm described in Section 2.2 performs a division of a 2n- 
bit integer by an n-bit integer with 0(n 2 ) bit operations. However, the number of bit 
operations needed for integer division can be related to the number of bit operations 
needed for integer multiplication. We state the following theorem, which is based on an 
algorithm discussed in [Kn97]. 

Theorem 2.7. There is an algorithm to find the quotient q = [a/b], when the 2n-bit 
integer a is divided by the integer b (having no more than n bits), using 0(M(n)) 
bit operations, where M(n) is the number of bit operations needed to multiply two n- 
bit integers. 


.3 Exercises 

1. Determine whether each of the following functions is 0(n) on the set of positive integers. 

a) 2n + 7 c) 10 e) a/w^TT 

b) n 2 / 3 d) log(n 2 + 1) f ) (n 2 + l)/(n + 1) 

2. Show that 2 n 4 + 3 n 3 + 17 is 0(n 4 ) on the set of positive integers. 

3. Show that (n 3 + 4n 2 log n + 101n 2 )(14n log n + 8n) is 0(n 4 log n). 

4. Show that n ! is 0(n n ) on the set of positive integers. 

5. Show that (n! + l)(n + log n) + (n 3 + n")((log n) 3 + n + 7) is 0(n n+l ). 

6. Suppose that m is a positive real number. Show that Y?j= \ J m * s 0(n m+l ). 

7. Show that n log n is O (log n !) on the set of positive integers. 

8. Show that if f x and f 2 are O(gi) and 0(g 2 ), respectively, and c ] and c 2 are constants, then 
c i/i + c 2fi is 0(gi + g 2 ). 

9. Show that if / is 0(g), then f k is 0(g k ) for all positive integers k. 

10. Let r be a positive real number greater than 1. Show that a function / is 0(log 2 n) if and 
only if / is 0(log r n). (Hint: Recall that log a n/ log fe n = log a b.) 

11. Show that the base b expansion of a positive integer n has [log fe n] + 1 digits. 

12. Analyzing the conventional algorithms for subtraction and addition, show that these opera- 
tions require O ( n ) bit operations with n-bit integers. 



2.3 Complexity of Integer Operations 


67 


13. Show that to multiply an n-bit and an m - bit integer in the conventional manner requires 
0(nm ) bit operations. 

14. Estimate the number of bit operations needed to find 1 + 2 + • • • + n, 

a) by performing all the additions; 

b) by using the identity 1 + 2 + • — h« = n(« + l)/2, and multiplying and shifting. 

15. Give an estimate for the number of bit operations needed to find each of the following 
quantities. 

a) n! b) Q 

16. Give an estimate of the number of bit operations needed to find the binary expansion of an 
integer from its decimal expansion. 

17. Use identity (2.2) with n = 2 to multiply (1001) 2 and (101 1) 2 . 

18. Use identity (2.2) with n = 4, and then with n = 2, to multiply (1001001 1) 2 and (1 1001001) 2 . 

19. a) Show there is an identity analogous to (2.2) for decimal expansions. 

b) Using part (a), multiply 73 and 87 performing only three multiplications of one-digit 
integers, plus shifts and additions. 

c) Using part (a), reduce the multiplication of 4216 and 2733 to three multiplications of 
two-digit integers, plus shifts and additions; then, using part (a) again, reduce each of 
the multiplications of two-digit integers into three multiplications of one-digit integers, 
plus shifts and additions. Complete die multiplication using only nine multiplications of 
one-digit integers, and shifts and additions. 

20. If A and Barenxn matrices, with entries a iy - and for 1 < i < n, 1 < j < n, then AB is 
the n x n matrix with entries c iy - = J2l=i a ik^kj- Show that n 3 multiplications of integers are 
used to find AB directly from its definition. 

21. Show that it is possible to multiply two 2x2 matrices using only seven multiplications of 
integers, by using the identity 

( fl n a n \ ( b\\ b u \ 

\ a 21 a 22/ V ^21 ^22/ 

a ll^ll + a 12^21 X + (a 21 + 022 ) (^12 — ^ 11 ) 

+ (a u + a 12 — a 2 i — a 22 )b 22 

x + (a n - a 2 \) (b 22 ~ b l2 ) x + (a n - a 2i )(b 22 - b 12 ) 

— a 22(^ll — ^21 — ^12 + ^22) + ( a 21 + a 2l)(Pi2 — ^ll) 

where x = a n b n - (a u - a 21 - a 22 ){b n - b 12 + b 22 ). 

22. Using an inductive argument, and splitting (2n) x (2 n) matrices into four n x n matrices, 
use Exercise 21 to show that it is possible to multiply two 2 k x 2 k matrices using only l k 
multiplications, and less than l k+x additions. 

23. Conclude from Exercise 22 that two n x n matrices can be multiplied using O (n log2 7 ) bit 
operations when all entries of the matrices have less than c bits, where c is a constant. 
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Computations and Explorations 

1. Multiply 81,873,569 and 41,458,892 by using identity (2.2) with these eight-digit integers, 
with the resulting four-digit integers, and with the resulting two-digit integers. 

2. Multiply two 8x8 matrices of your choice, by using the identity in Exercise 21 with these 
matrices and then again for the multiplication of the resulting 4x4 matrices. 

Programming Projects 

1. Multiply two arbitrarily large integers using identity (2.2). 

2. Multiply two n x n matrices using the algorithm discussed in Exercises 21-23. 
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T his chapter introduces a central concept of number theory, namely, that of a prime 
number. A prime is an integer with precisely two positive integer divisors. Prime 
numbers were studied extensively by the ancient Greeks, who discovered many of their 
basic properties. In the past three centuries, mathematicians have devoted countless hours 
to exploring the world of primes. They have discovered many fascinating properties, 
formulated diverse conjectures, and proved interesting and surprising results. Research 
into questions involving primes continues today, partly driven by the importance of 
primes in modem cryptography. Open questions about primes stimulate new research. 
There are also tens of thousands of people trying to enter the record books by finding 
the largest prime yet known. 

In this chapter, we will show that there are infinitely many primes. The proof we 
will give dates back to ancient times. We will also show how to find all the primes not 
exceeding a given integer, using the sieve of Eratosthenes, also dating back to antiquity. 
We will discuss the distribution of primes, and state the famous prime number theorem 
that was proved at the end of the nineteenth century. This theorem provides an accurate 
estimate for the number of primes not exceeding a given integer. Many questions about 
primes remain open despite attention from mathematicians over hundreds of years; we 
will discuss a selection of such problems, including two of the best known, the twin 
prime conjecture and Goldbach’s conjecture. 

This chapter also shows that every positive integer can be written uniquely as the 
product of primes (when the primes are written in increasing order of size). This result 
is known as the fundamental theorem of arithmetic. To prove this theorem, we will use 
the concept of the greatest common divisor of two integers. We will establish many 
important properties of the greatest common divisor in this chapter, such as the fact 
that it is the smallest positive linear combination of these integers. We will describe the 
Euclidean algorithm that can be used for finding the greatest common divisor of two 
integers, and analyze its computational complexity. We will discuss methods used to 
find the factorization of integers into products of primes, and discuss the complexity 
of these methods. Numbers of special form are often studied in number theory; in this 
chapter, we will introduce the Fermat numbers, which are integers of the form 2 2 ” + 1. 
(Fermat conjectured that they are all prime but this turns out not to be true.) 

Finally, we will introduce the concept of a diophantine equation, which is an equa- 
tion where only solutions in integers are sought. We will show how greatest common 
divisors can be used to help solve linear diophantine equations. Unlike many other dio- 
phantine equations, linear diophantine equations can be solved easily and systematically. 
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3.1 Prime Numbers 

The positive integer 1 has just one positive divisor. Every other positive integer has at 
(2/ least two positive divisors, because it is divisible by 1 and by itself. Integers with exactly 

two positive divisors are of great importance in number theory; they are called primes. 

Definition. A prime is an integer greater than 1 that is divisible by no positive integers 
other than 1 and itself. 

Example 3.1. The integers 2, 3, 5, 13, 101, and 163 are primes. ◄ 

Definition. An integer greater than 1 that is not prime is called composite. 

Example 3.2. The integers 4 = 2 • 2, 8 = 4 • 2, 33 = 3 • 11, 111 = 3 • 37, and 1001 = 
7 ■ 1 1 ■ 13 are composite. ◄ 

The primes are the multiplicative building blocks of the integers. Later, we will show 
that every positive integer can be written uniquely as the product of primes. 

In this section, we will discuss the distribution of prime numbers among the set of 
positive integers, and prove some elementary properties about this distribution. We will 
also discuss more powerful results about the distribution of primes. The theorems we 
will introduce include some of the most famous results in number theory. 

You can find all primes less than 10,000 in Table E.l at the end of the book. 

The Infinitude of Primes We start by showing that there are infinitely many primes, 
for which the following lemma is needed. 

Lemma 3.1. Every integer greater than 1 has a prime divisor. 

Proof. We prove the lemma by contradiction; we assume that there is a positive integer 
greater than 1 having no prime divisors. Then, since the set of positive integers greater 
than 1 with no prime divisors is nonempty, the well-ordering property tells us that there 
is a least positive integer n greater than 1 with no prime divisors. Because n has no prime 
divisors and n divides n, we see that n is not prime. Hence, we can write n=ab with 
1 < a < n and 1 < b < n. Because a <n, a must have a prime divisor. By Theorem 1.8, 
any divisor of a is also a divisor of n, so n must have a prime divisor, contradicting the 
fact that n has no prime divisors. We can conclude that every positive integer greater 
than 1 has at least one prime divisor. ■ 

We now show that there are infinitely many primes, a wondrous result known by 
the ancient Greeks. This is one of the key theorems in number theory that can be proved 
in a variety of ways. The proof we will provide was presented by Euclid in his book 
the Elements (Book IX, 20). This simple yet elegant proof is considered by many to be 
particularly beautiful. It is not surprising that the very first proof found in the book Proofs 
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from THE BOOK [AiZilO], a collection of particularly insightful and clever proofs, 
begins with this proof found in Euclid. Moreover, this book presents six quite different 
proofs of the infinitude of primes. (Here, THE BOOK refers to the imagined collection 
of perfect proofs that Paul Erdos claimed is maintained by God.) We will introduce 
a variety of different proofs that there are infinitely many primes later in this chapter. 
(See Exercise 8 at the end of this section, the exercise sets in Sections 3.3 and 3.5, and 
Section 3.6.) 

Theorem 3.1. There are infinitely many primes. 

Proof. Suppose that there are only finitely many primes, p\, p 2 , . . . p n , where n is a 
positive integer. Consider the integer Q n , obtained by multiplying these primes together 
and adding one, that is, 

Qn = P1P2 ■ ■ ■ Pn + 1 - 

By Lemma 3.1, Q has at least one prime divisor, say, q. We obtain a contradiction by 
showing that q is not one of the primes listed. (These supposedly formed a complete list of 
all primes.) If q = pj for some integer j with 1 < j < n, then since Q n — P\P 2 •••/?„ = 1, 
because q divides both terms on the left-hand side of this equation, by Theorem 1.9 it 
follows that q | 1. This is impossible because no prime divides 1 . Consequently, q must be 
a prime we have not listed. This contradiction shows that there are infinity many primes. 


The proof of Theorem 3.1 is nonconstructive because the integer we have con- 
structed in the proof, Q n , which is one more than the product of the first n primes, may 
or may not be prime (see Exercise 11). Consequently, in the proof we have not found a 
new prime, but we know that one exists. 

Finding Primes In later chapters, we will be interested in finding and using extremely 
large primes. Tests distinguishing between primes and composite integers will be crucial; 
such tests are called primality tests. The most basic primality test is trial division, which 
tells us that the integer n is prime if and only if it is not divisible by any prime not 
exceeding y/n. We now prove that this test can be used to determine whether n is prime. 

Theorem 3.2. If n is a composite integer, then n has a prime factor not exceeding y/n. 

Proof. Because n is composite, we can write n = ab, where a and b are integers with 
1 < a < b < n. We must haven < y/n, since otherwise b > a > y/n and ab > y/n • y/n = 
n. Now, by Lemma 3.1, a must have a prime divisor, which by Theorem 1.8 is also a 
divisor of n and which is clearly less than or equal to y/n. m 

We can use Theorem 3.2 to find all the primes less than or equal to a given positive 
integer n. This procedure is called the sieve of Eratosthenes, since it was invented by 
the ancient Greek mathematician Eratosthenes. We illustrate its use in Figure 3.1 by 
finding all primes less than 100. We first note that every composite integer less than 100 
must have a prime factor less than VlOO = 10. Because the only primes less than 10 are 
2, 3, 5, and 7, we only need to check each integer less than 100 for divisibility by these 
primes. We first cross out, with a horizontal line ( — ), all multiples of 2 greater than 2. 
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Next, we cross out with a slash (/) those integers remaining that are multiples of 3, other 
than 3 itself. Then all multiples of 5, other than 5, that remain are crossed out with a 
backslash (\). Finally, all multiples of 7, other than 7, that are left are crossed out with a 
vertical stroke (|). All remaining integers (other than 1, which we cross out using an x) 
must be prime (and are shown in boldface in the figure). 
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Figure 3.1 Using the sieve of Eratosthenes to find the primes less than 100. 

Although the sieve of Eratosthenes produces all primes less than or equal to a fixed 
integer, to determine in this manner whether a particular integer n is prime it is necessary 
to check n for divisibility by all primes not exceeding *fn. This is quite inefficient; later, 
we will give better methods for deciding whether or not an integer is prime. 

We now introduce a function that counts the primes not exceeding a specified 
number. 

Definition. The function 7r(x), where x is a positive real number, denotes the number 
of primes not exceeding x. 


ERATOSTHENES (c. 276-194 B.C.E.) was bora in Cyrene, which was a Greek 
colony west of Egypt. It is known that he spent some time studying at Plato’s 
school in Athens. King Ptolemy n invited Eratosthenes to Alexandria to tutor 
bis son. Later, Eratosthenes became the chief librarian of the famous library 
at Alexandria, which was a central repository of ancient works of literature, 
art, and science. He was an extremely versatile scholar, having written on 
mathematics, geography, astronomy, history, philosophy, and literature. Besides 
his work in mathematics, Eratosthenes was most noted for his chronology of 
ancient history and for his geographical measurements, including his famous measurement of the 
size of the earth. 
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Example 3.3. From our illustration of the sieve of Eratosthenes, we see that 7r(10) = 4 
andTr(lOO) = 25. ◄ 

Primes in Arithmetic Progressions Every odd integer is either of the form 4n + 1 
or the form 4 n + 3. Are there infinitely many primes in both these forms? The primes 
5, 13, 17, 29, 37, 41, ... are of the form 4 n + 1, and the primes 3, 7, 11, 19, 23, 31, 
43, ... are of the form 4 n + 3. Looking at this evidence hints that there are infinitely 
many primes in both these progressions. What about other arithmetic progressions such 
as 3/i + 1, 7n + 4, 8 n + 7, and so on? Does each of these contain infinitely many primes? 
He rman mathematician G. Lejeune Dirichlet settled this question in 1 837, when he used 
methods from complex analysis to prove the following theorem. 

Theorem 3.3. Dirichlet’s Theorem on Primes in Arithmetic Progressions. Suppose 
that a and b are relatively prime positive integers. Then the arithmetic progression 
an + b,n= 1, 2, 3 contains infinitely many primes. 

No simple proof of Dirichlet’s theorem on primes in arithmetic progressions is 
known. (Dirichlet’s original proof used complex variables. In the 1950s, elementary but 
complicated proofs were found by Erdfis and by Selberg.) However, special cases of 
Dirichlet’s theorem can be proved quite easily. We will illustrate this in Section 3.5, by 
showing that there are infinitely many primes of the form 4 n + 3. 

The Largest Known Primes For hundreds if notthousands of years, professional and 
amateur mathematicians have been motivated to find a prime larger than any currently 
known. The person who discovers such a prime becomes famous, at least for a time, 
and has his or her name entered into the record books. Because there are infinitely many 
prime numbers, there is always a prime larger than the current record. Looking for new 
primes is done somewhat systematically; rather than checking randomly, people examine 
numbers that have a special form. For example, in Chapter 7 we will discuss primes of 
the form 2 P - 1, where p is prime; such numbers are called Mersenne primes. We will 
see that there is a special test that makes it possible to determine whether 2 P — 1 is 


p G. LEJEUNE DIRICHLET (1805-1859) was bom into a French family living 

in the vicinity of Cologne, Germany. He studied at the University of Paris when 
S _ . this was an important world center of mathematics. He held positions at the 

K University of Breslau and the University of Berlin, and in 1855 was chosen 

E to succeed Gauss at the University of Gottingen. Dirichlet is said to be the 
Sum I first person to master Gauss’s Disquisitiones Arithmeticae, which had appeared 
20 years earlier. He is said to have kept a copy of this book at bis side even 
when he traveled. His book on number theory, Vorlesungen iiberZahlentheorie, 
helped make Gauss’s discoveries accessible to other mathematicians. Besides bis fundamental work 
in number theory, Dirichlet made many important contributions to analysis. His famous “drawer 
principle,” also called the pigeonhole principle, is used extensively in combinatorics and in number 
theory. 
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prime without performing trial divisions. The largest known prime number has been a 
Mersenne prime for most of the past hundred years. Currently, the world record for the 
largest prime known is 2 43 ’ 112 ’ 609 - 1. 

Formulas for Primes Is there a formula that generates only primes? This is another 
question that has interested mathematicians for many years. No polynomial in one 
variable has this property, as Exercise 23 demonstrates. It is also the case that no 
polynomial in n variables, where n is a positive integer, generates only primes (a result 
that is beyond the scope of this book). There are several impractical formulas that 
generate only primes. For example, Mills has shown that there is a constant 0 such 
that the function f{n ) = [0 3 "] generates only primes. Here the value of 0 is known only 
approximately, with 0 & 1.3064. This formula is impractical for generating primes not 
only because the exact value of 0 is not known, but also because to compute 0 you must 
know the primes that f(n ) generates (see [Mi47] for details). 

If no useful formula can be used to generate large primes, how can they be generated? 
In Chapter 6, we will learn how to generate large primes using what are known as 
probabilistic primality tests. 

Primality Proofs 

If someone presents you with a positive integer n and claims that n is prime, how can you 
be sure that n really is prime? We already know that we can determine whether n is prime 
by performing trial divisions of n by the primes not exceeding +Jn. If n is not divisible 
by any of these primes, it itself is prime. Consequently, once we have determined that 
n is not divisible by any prime not exceeding its square root, we have produced a proof 
that n is prime. Such a proof is also known as a certificate of primality. 

Unfortunately, using trial division to produce a certificate of primality is extremely 
inefficient. To see this, we estimate the number of bit operations used by this test. Using 
the prime number theorem, we can estimate the number of bit operations needed to show 
that an integer n is prime by trial divisions of n by all primes not exceeding *Jn. The prime 
number theorem tells us that there are approximately Jn/ log Jn = 2^/w/log n primes 
not exceeding *Jn. To divide n by an integer m takes O (log 2 n • log 2 m) bit operations. 
Therefore, the number of bit operations needed to show that n is prime by this method is 
at least (2^/n/log n)(c log 2 n) = cjn (where we have ignored the log 2 m term because it 
is at least 1, even though it sometimes is as large as (log 2 n) /2). This method of showing 
that an integer n is prime is very inefficient, for it is necessary not only to know all the 
primes not larger than -Jn, but to do at least a constant multiple of sfn bit operations. 

To input an integer into a computer program, we input the binary digits of the integer. 
Consequently, the computational complexity of algorithms for determining whether an 
integer is prime is measured in terms of the number of binary digits in the integer. By 
Exercise 11 in Section 2.3, we know that a positive integer n has [log 2 n] + 1 binary 
digits. Consequently, a big-0 estimate for the computational complexity of an algorithm 
in terms of number of binary digits of n translates to the same big- O estimate in terms of 
log 2 n, and vice versa. Note that the algorithm using trial divisions to determine whether 
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an integer n is prime is exponential in terms of the number of binary digits of n, or 
in terms of log 2 n, because -Jn = 2 log2 " /2 . That is, this algorithm has exponential time 
complexity, measured in terms of the number of binary digits in n. As n gets large, 
an algorithm with exponential complexity quickly becomes impractical. Determining 
whether a number with 200 digits is prime using trial division still takes billions of years 
on the fastest computers. 

Mathematicians have looked for efficient primality tests for many years. In par- 
ticular, they have searched for an algorithm that produces a certificate of primality in 
polynomial lime, measured in terms of the number of binary digits of the integer input. 
In 1975, G. L. Miller developed an algorithm that can prove that an integer is prime 
using 0((log n) 5 ) bit operations, assuming the validity of a hypothesis called the gener- 
alized Riemann hypothesis. Unfortunately, the generalized Riemann hypothesis remains 
an open conjecture. In 1983, Leonard Adleman, Carl Pomerance, and Robert Rumely 
developed an algorithm that can prove an integer is prime using (logn) clogloglog " bit 
operations, where c is a constant. Although their algorithm does not run in polynomial 
time, it runs in close to polynomial time because the function log log log n grows so 
slowly. To use their algorithm with an up-to-date PC to determine whether a 100-digit 
integer is prime requires just a few milliseconds, determining whether a 400-digit inte- 
ger is prime requires less than a second, and determining whether a 1000-digit integer is 
prime takes less than an hour. (For more information about their test, see [AdPoRu83] 
and [Ru83].) 

A Polynomial Time Algorithm for Prime Certificates Until 2002, no one was able 
to find a polynomial time algorithm for proving that a positive integer is prime. In 2002, 
M. Agrawal, N. Kayal, and N. Saxena, an Indian computer science professor and two 
of his undergraduate students, announced that they had found an algorithm that can 
produce a certificate of primality for an integer n using 0((logn) 12 ) bit operations. 
Their discovery of a polynomial time algorithm for proving that a positive integer is 
prime surprised the mathematical community. Their announcement stated that “PRIMES 
is in P.” Here, computer scientists denote by PRIMES the problem of determining 
whether a given integer n is prime, and P denotes the class of problems that can be 
solved in polynomial time. Consequently, PRIMES is in P means that one can determine 
whether n is prime using an algorithm that has computational complexity bounded by 
a polynomial in the number of binary digits in n, or equivalently, in log n. Their proof 
can be found in [AgKaSa02] and can be understood by undergraduate students who have 
studied number theory and abstract algebra. In this paper, they also show that under the 
assumption of a widely believed conjecture about the density of Sophie Germain primes 
(see Chapter 13 for a biography of the French mathematician Sophie Germain) 1 (primes 
p for which 2p + 1 is also prime), their algorithm uses only 0((log n) 6 ) bit operations. 
Other mathematicians have also improved on Agrawal, Kayal, and Saxena’s result. In 
particular, H. Lenstra and C. Pomerance have reduced the exponent 12 in the original 
estimate to 6 + e, where e is any positive real number. 


1 Both the first name and last name of Sophie Germain are used to describe primes p for which 2p + 1 is also 
prime. This type of terminology is rarely used when the names of other mathematicians are used as adjectives. 
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It is important to note that in our discussion of primality tests, we have only addressed 
deterministic algorithms, that is, algorithms that decide with certainty whether an integer 
is prime. In Chapter 6, we will introduce the notion of probabilistic primality tests, that 
is, tests that tell us that there is a high probability, but not a certainty, that an integer is 
prime. 


.1 Exercises 

1. Determine which of the following integers are primes. 

a) 101 c) 107 e) 113 

b) 103 d) 111 f) 121 

2. Determine which of the following integers are primes. 

a) 201 c) 207 e) 213 

b) 203 d) 211 f) 221 

3. Use the sieve of Eratosthenes to find all primes less than 150. 

4. Use the sieve of Eratosthenes to find all primes less than 200. 

5. Find all primes that are the difference of the fourth powers of two integers. 

6. Show that no integer of the form n 3 + 1 is a prime, other than 2 = l 3 + 1. 

7. Show that if a and n are positive integers with n > 1 and a n — 1 is prime, then a = 2 and n is 

prime. (Hint: Use the identity a kl — 1 = (a k — 1 + a k< - l ~ 2) + ■ ■ ■ + a k + 1).) 

8. (This exercise constructs another proof of the infinitude of primes.) Show that the integer 
Q n = n\+ 1, where n is a positive integer, has a prime divisor greater than n. Conclude that 
there are infinitely many primes. 

9. Can you show that there are infinitely many primes by looking at the integers S n = n\— 1, 
where n is a positive integer? 

10. Using Euclid’s proof that there are infinitely many primes, show that the nth prime p n does 
not exceed 2 2 " whenever n is a positive integer. Conclude that when n is a positive integer, 
there are at least n + 1 primes less than 2 2 ". 

11. Let Q n = pip 2 . . . p n + 1, where p h p 2 , . . . , p n are the n smallest primes. Determine the 
smallest prime factor of Q n for n = 1, 2, 3, 4, 5, and 6. Do you think that Q n is prime infinitely 
often? (Note: This is an unresolved question.) 

12. Show that if p k is the kth prime, where k is a positive integer, then p n < P\P 2 • • ■ P n - 1 + 1 
for all integers n with n > 3. 

13. Show that if the smallest prime factor p of the positive integer n exceeds -<fn, then n / p must 
be prime or 1. 

14. Show that if p is a prime in the arithmetic progression 3n + 1, n = 1, 2, 3, . . . , then it is also 
in the arithmetic progression 6n + 1, n = 1, 2, 3, . . . . 

15. Find the smallest prime in the arithmetic progression an + b, for these values of a and b: 

a)a = 3,6 = 1 b) <z = 5,6 = 4 c) a = 11, b =16 

16. Find the smallest prime in the arithmetic progression an + b, for these values of a and b : 

a) a = 5, 6 = 1 b)a = 7,6 = 2 c) a = 23, b =13 
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17. Use Dirichlet’s theorem to show that there are infinitely many primes whose decimal expan- 
sion ends with a 1. 

18. Use Dirichlet’s theorem to show that there are infinitely many primes whose decimal expan- 
sion ends with the two digits 23. 

19. Use Dirichlet’s theorem to show that there are infinitely many primes whose decimal expan- 
sion ends with the three digits 123. 

20. Show that for every positive integer n there is a prime whose decimal expansion ends with at 
leastn Is. 


* 21. Show that for every positive integer n there is a prime whose decimal expansion contains n 

consecutive Is and whose final digit is 3. 

* 22. Show that for every positive integer n there is a prime whose decimal expansion contains n 

consecutive 2s and whose final digit is 7. 

23. Use the second principle of mathematical induction to prove that every integer greater than 
1 is either prime or the product of two or more primes. 

* 24. Use the principle of inclusion-exclusion (Exercise 16 of Appendix B) to show that 


Tt(n) = (; n(yfn ) - 1) + n - + [~ + + [^”]) 
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where p h p 2 , . . . , p r are the primes less than or equal to *Jn (with r = Tt(yfn)). {Hint: Let 
property P t be the property that an integer is divisible by p t .) 

25. Use Exercise 24 to find n ( 250 ). 

26. Show that je 2 — x + 41 is prime for all integers je with 0 < x < 40 . Show, however, that it is 
composite for x = 41 . 

27. Show that 2n 2 + 11 is prime for all integers n with 0 < n < 10 , but is composite for n = 11 . 

28. Show that 2 n 2 + 29 is prime for all integers n with 0 < n < 28 , but is composite for n = 29 . 

* 29. Show thatif /(je) = a n x n + a n _ x x n ~ l -| b a { x + a Q , where n > 1 and the coefficients are 

integers, then there is a positive integer y such that f (y ) is composite. {Hint: Assume that 
/(je) = p is prime, and show that p divides f{x + kp) for all integers k. Conclude that there 
is an integer y such that f{y ) is composite from the fact that a polynomial of degree n,n> 1, 
takes on each value at most n times.) 


The lucky numbers are generated by the following sieving process: Start with the positive integers. 
Begin the process by crossing out every second integer in the list, starting your count with the 
integer 1. Other than 1, the smallest integer not crossed out is 3, so we continue by crossing out 
every third integer left, starting the count with the integer 1. The next integer left is 7, so we cross 
out every seventh integer left. Continue this process, where at each stage we cross out every £th 
integer left, where k is the smallest integer not crossed out, other than 1, not yet used in the sieving 
process. The integers that remain are the lucky numbers. 
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30. Find all lucky numbers less than 100. 

31. Show that there are infinitely many lucky numbers. 

32. Suppose that t k is the smallest prime greater than Q k = p\p 2 • • • p k + 1, where pj is the jth 
prime number. 

a) Show that t k — Q k + 1 is not divisible by pj for j = 1, 2, . . . , k. 

b) R. F. Fortune conjectured that t k — Q k + 1 is prime for all positive integers k. Show that 
this conjecture is true for all positive integers k with k < 5. 

Computations and Explorations 

1. Find the nth prime, where n is each of the following integers, 

a) 1,000,000 b) 333,333,333 c) 1,000,000,000 

2. Find the smallest prime greater than each of the following integers, 

a) 1,000,000 b) 100,000,000 c) 100,000,000,000 

3. Plot the nth prime as a function of n for 1 < n < 100. 

4. Plot tt(jc) for 1 <jc < 1000. 

5. Find the smallest prime factor of n ! + 1 for all positive integers n not exceeding 20. 

6. Find the smallest prime factor of p\p 2 • • • p k + 1, where p h p 2 , . . . , p k are the kth smallest 
primes for all positive integers k not exceeding 100. Which of these numbers are prime? For 
which of those that are not prime is p k+ \ the smallest prime divisor of this number? 

7. Find the smallest prime factor of p\p 2 • • • p k — 1, where p h p 2 , ... ,p k are the fcth smallest 
primes for all positive integers k not exceeding 100. Which the numbers are primes? For 
which of those that are not prime is p k+l the smallest prime divisor of this number? 

8. The Euler-Mullin sequence q h q 2 , . . . , q k , . . . is defined by taking q k = 2 and defining q k+l 
to be the smallest prime factor of q k q 2 • • • q k + 1 whenever k is a positive integer. Find as many 
terms of this sequence as you can. It has been conjectured that this sequence is a reordering 
of the list of prime numbers. 

9. Use the sieve of Eratosthenes to find all primes less than 10,000. 

10. Use the result given in Exercise 18 to find 7r( 10,000), the number of primes not exceeding 
10,000. 

11. A famous unsettled conjecture of Hardy and Littlewood, now generally believed to be false, 
asserts that 7t (x + y) < n (jc) + 7t (y) for all integers x and y both greater than 1. Explore this 
conjecture by examining tt(x + y) - (n( x) + n (y)) for various values of x and y. 

12. Verify R. F. Fortune’s conjecture that t k — Q k + 1 is prime for all positive integers k, where 
t k is the smallest prime greater than Q k = n*=i Pj + 1 f° r as many k as you can. 

13. Find all lucky numbers (as defined in the preamble to Exercise 30) not exceeding 10,000. 

Programming Projects 

1. Given a positive integer n, determine whether it is prime using trial division of the integer by 
all primes not exceeding its square root. 

* 2. Given a positive integer n, use the sieve of Eratosthenes to find all primes not exceeding it. 
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* 3. Given a positive integer n , use Exercise 24 to find 7i(n). 

4. Given positive integers a and b not divisible by the same prime, find the smallest prime 
number in the arithmetic progression an + b, where n is a positive integer. 

* 5. Given a positive integer n, find the lucky numbers less than n (see the preamble to Exercise 

30). 


3.2 The Distribution of Primes 

We know that there are infinitely many primes, but can we estimate how many primes 
there are less than a positive real number x ? One of the most famous theorems of number 
theory, and of all mathematics, is the prime number theorem, which answers this question. 

Mathematicians in the late eighteenth century examined tables of prime numbers 
created using hand calculations. Using these values, they looked for functions that 
estimated 7r(x). In 1798, French mathematician Adrien-Marie Legendre (see Chapter 1 1 
for a biography) used tables of primes up to 400,031, computed by Jurij Vega, to note 
that tt(x) could be approximated by the function 
x 

log x - 1.08366 

The great German mathematician Karl Friedrich Gauss (see Chapter 4 for a biography) 
conjectured that it(x) increases at the same rate as the functions 

x/logx and Li(x) = [ 

J 2 log? 

(where represents the area under the curve y = 1/ log t and above the f-axis from 

t = 2 tot =x). (The name Li is an abbreviation of logarithmic integral.) 

Neither Legendre nor Gauss managed to prove that these functions approximated 
7t(x) closely for large values of x . By 1 8 1 1 , a table of all primes up to 1 ,020,000 had been 
produced (by Chemac), which could be used to provide evidence for these conjectures. 

The first substantial result showing that 7r(x) could be approximated by x/logx was 
established in 1850 by Russian mathematician Pafnuty Lvovich Chebyshev. He showed 
that there are positive real numbers Cj and C 2 , with Cj < 1 < C 2 , such that 

Cj(x/ log x) < 7r(x) < C 2 (x/ log x) 

for sufficiently large values of x. (In particular, he showed that this result holds with 
Cj = 0.929 and C 2 = 1.1.) He also demonstrated that if the ratio of 7r(x) and x/logx 
approaches a limit as x increases, then this limit must be 1. 

The prime number theorem, which states that the ratio of 7r(x) and x/log x ap- 
proaches 1 as x grows without bound, was finally proved in 1896, when French 
mathematician Jacques Hadamard and Belgian mathematician Charles-Jean-Gustave- 
Nicholas de la Vallee-Poussin produced independent proofs. Their proofs were based 
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on results from the theory of complex analysis. They used ideas developed in 1859 by 
German mathematician Bernhard Riemann, which related 7t(x) to the behavior of the 
function 


«— l 


n s 


in the complex plane. (The function £(s) is known as the Riemann zeta function.) The 
connection between the Riemann zeta function and the prime numbers comes from the 
identity 


m 


= v± = 




4 )-*. 

p‘ 


where the product on the right-hand side of the equation extends over all primes p. We 
will explain why this identity is true in Section 3.5. (For information about the famous 
Riemann hypothesis, a conjecture about the roots of the zeta function, see the boxed note 
later in this section.) 


I ^ PAFNUTY LVOVICH CHEBYSHEV (1821-1894) was bom on the estate 

of his parents in Okatovo, Russia. His father was a retired army officer. In 
V J 1 832, Chebyshev’s family moved to Moscow, where he completed his secondary 

1 ( education with study at home. In 1837, Chebyshev entered Moscow University, 

A -j r J graduating in 1841. While still an undergraduate, he made his first original 

contribution, a new method for approximating roots of equations. Chebyshev 
joined the faculty of St. Petersburg University in 1 843, where he re maine d until 
1882. His doctoral thesis, written in 1849, was long used as a number theory 
textbook at Russian universities. Chebyshev made contributions to many areas of mathematics besides 
number theory, including probability theory, numerical analysis, and real analysis. He worked in 
theoretical and applied mechanics, and had a bent for constructing mechanisms, including linkages 
and hinges. He was a popular teacher, and had a strong influence on the development of Russian 
mathematics. 




JACQUES HADAMARD (1865-1963) was bom in Versailles, France. His 
father was a Latin teacher and his mother a distinguished piano teacher. After 
completing his undergraduate studies, he taught at a Paris secondary school. 
After receiving his doctorate in 1892, he became lecturer at the Faculty des 
Sciences of Bordeaux. He subsequently served on the faculties of the Sorbonne, 
ifFy the College de France, the ficole Polytechnique, and the ficole Centrale des Arts 

I et Manufactures. Hadamaid made important contributions to complex analysis, 
■ A. functional analysis, and mathematical physics. His proof of the prime number 

theorem was based on his work in complex analysis. Hadamard was a famous teacher; he wrote 
numerous articles about elementary mathematics that were used in French schools, and his text on 
elementary geometry was used for many years. 
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In addition to proving the prime number theorem, de la Vall6e-Poussin showed that 
the function Li(x) is a closer approximation to jt(jc) than x/(log x - a) for all values of 
the constanta. 

The proofs of the prime number theorem found by Hadamard and de la Vallee- 
Poussin depend on complex analysis, though the theorem itself does not involve complex 
numbers. This left open the challenge of finding a proof that did not use the theory of 
complex variables. It surprised the mathematical community when, in 1949, Norwegian 
mathematician Atle Selberg and Hungarian mathematician Paul Erdds independently 
found elementary proofs of the prime number theorem. Their proofs, though elementary 
(meaning that they do not use the theory of complex variables), are quite complicated 
and difficult. 

We now formally state the prime number theorem. 

Theorem 3.4. The Prime Number Theorem. The ratio of n (x) to x/log x approaches 
1 as x grows without bound. (Here, log x denotes the natural logarithm of x, and in the 
language of limits, we have lim x _ >00 jr(x)/(x/log x) = 1.) 


-V- CHARLES-JEAN-GUSTAVE-NICHOLAS DE LA VALLEE-POUSSIN 
(1866-1962), the son of a geology professor, was bom at Louvain, Belgium. 
He studied at the Jesuit College at Mons, first studying philosophy, later tum- 
j ng engineering. After receiving his degree, instead of pursuing a career in 
I engineering, he devoted himself to mathematics. De la Valle£-Poussin’s most 
I significant contribution to mathematics was his proof of the prime number theo 
I rem. Extending this work, he established results about the distribution of primes 
-* ' in arithmetic progressions and the distribution of primes represented by qua- 

dratic forms. Furthermore, he refined the prime number theorem to include error estimates. He made 
important contributions to differential equations, approximation theory, and analysis. His textbook, 
Cours d‘ analyse, had a strong impact on mathematical thought in the first half of the twentieth century. 


ATLE SELBERG (1917-2007), bom in Langesund, Norway, became inter- 
ested in mathematics as a schoolboy. He was inspired by Ramanujan’s writing, 
both by the mathematics and the “air of mystery” surrounding Ramanujan’s per- 
sonality. Selberg received his doctorate in 1943 from the University of Oslo. He 
remained at the university until 1947, when he married and took a position at the 
Institute for Advanced Study in Princeton. After a brief slay at Syracuse Uni- 
versity, he returned to the Institute for Advanced Study, where he was appointed 
a permanent member in 1949; he became a professor at Princeton University in 
1951 . Selberg received the Fields Medal, the most prestigious award in mathematics, for bis work on 
sieve methods and on the properties of the set of zeros of the Riemann zeta function. He is also well 
known for bis elementary proofs of the prime number theorem (also done by Paul ErdSs), Dirichlet’s 
theorem on primes in arithmetic progressions, and the generalization of the prime number theorem 
for primes in ari thm etic progressions. 
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Remark. A concise way to state the prime number theorem is to write n (x) ~ x/ log x . 
Here, the symbol ~ denotes “is asymptotic to.” We write a(x) ~ b(x) to denote that 
li m *_>.oc °(. x )/b(x) = 1> and we say that a(x) is asymptotic to b(x). 


X 

*00 

x / log X 


Li(x) 

n(x)/Li(x) 

10 3 

168 

144.8 

1.160 

178 

0.9438202 

10 4 

1229 

1085.7 

1.132 

1246 

0.9863563 

10 5 

9592 

8685.9 

1.104 

9630 

0.9960540 

10 6 

78498 

72382.4 

1.085 

78628 

0.9983466 

10 7 

664579 

620420.7 

1.071 

664918 

0.9998944 

10 8 

5761455 

5428681.0 

1.061 

5762209 

0.9998691 

10 9 

50847534 

48254942.4 

1.054 

50849235 

0.9999665 

10 10 

455052512 

434294481.9 

1.048 

455055614 

0.9999932 

10 11 

4118054813 

3948131663.7 

1.043 

4118165401 

0.9999731 

10 12 

37607912018 

36191206825.3 

1.039 

37607950281 

0.9999990 

10 13 

346065536839 

334072678387.1 

1.036 

346065645810 

0.9999997 

10 14 

3204941750802 

3102103442166.0 

1.033 

3204942065692 

0.9999999 


Table 3.1 Approximations to n(x). 


PAUL ERDOS (1913-1996), bom in Budapest, Hungary, was the son of high 
school mathematics teachers. When he was three years old, he could multiply 
three-digit numbers in his head, and when he was four, he discovered negative 
numbers on his own. At 17, he entered Eotvos University, graduating in four 
years with a Ph.D. in mathematics. After graduating, he spent four years at 
Manchester University, England, as a postdoctoral fellow. In 1938, he came 
to the United States because of the difficult political situation in Hungary, 
especially for Jews. 

ErdSs made many significant contributions to combinatorics and to number theory. One of the 
discoveries of which he was most proud was his elementary proof of the prime number theorem. 
He also participated in the modem development of Ramsey theory, a part of combinatorics. Erdos 
traveled extensively throughout the world to work with other mathematicians. He traveled from one 
mathematician or group of mathematicians to the next, proclaiming, “My brain is open.” ErdSs offered 
monetary rewards for the solutions of problems he found particularly interesting. ErdSs wrote more 
than 1500 papers, with almost 500 coauthors. These coauthors are said to have ErdSs number one. 
Otherwise, a mathematician’s ErdSs number is k 4- 1 if the smallest ErdSs number of his or her 
coauthors is k. Two fascinating biographies ([Sc98] and [Ho99]) and the film N is a Number [Cs07] 
give further details on his life and work. 
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The prime number theorem tells us that the ratio between x/log x and 7t(jc) is close 
to 1 when x is large. However, there are functions for which the ratio between these 
functions and 7t(x) approaches 1 more rapidly than it does for x/log x. In particular, it 
has been shown that Li(jc) is an even better approximation. In Thble 3.1, we see evidence 
for the prime number theorem and that Li(x) is an excellent approximation of tt(jc). (Note 
that the values of Li(jc) have been rounded to the nearest integer.) 


The Riemann Hypothesis 

Many mathematicians consider the Riemann hypothesis, a conjecture about the zeros of 
the zeta function, the most important open problem in pure mathematics. For more than 
100 years, number theorists have struggled to solve this problem. Interest in it has spread, 
perhaps because a prize of one million dollars for a proof (if it is indeed true) has been 
offered by the Clay Mathematics Institute. Recently, many general-interest books about the 
Riemann hypothesis, such as [De03], [Sa03a], and [Sa03b], have appeared, even though the 
hypothesis involves sophisticated notions from complex analysis. We will briefly describe 
the Riemann hypothesis for the benefit of readers familiar with complex analysis, as well 
as for the general appreciation of others. 

We have defined the Riemann zeta function as f (s ) = i ^ • This definition is valid 
for all complex numbers s with Re(s) > 1, where Re(s) is the real part of the complex 
number s . Riemann was able to extend the function defined by the infinite series to a function 
in the entire complex plane with a pole at s = 1. In his famous 1859 paper [Ri59], Riemann 
connected the zeta function with the distribution of prime numbers. He derived a formula for 
n(x) in terms of the zeros of £(.s). The more we understand about the location of the zeros 
of the zeta function, the more we know about the distribution of the primes. The Riemann 
hypothesis is a statement about the location of the zeros of this function. Before stating 
the hypothesis, we first note that the zeta function has zeros at the negative even integers 
—2, —4, —6, . . . , called the trivial zeros. The Riemann hypothesis is the assertion that 
the nontrivial zeros of t;(s) all have real part equal to 1/2. Note that there is an equivalent 
formulation of the Riemann hypothesis in terms of the error introduced when Li(x) is used 
to estimate jt(x); this alternative formulation does not involve complex variables. In 1901, 
von Koch showed that the Rie mann hypothesis is equivalent to the statement that the error 
that occurs when 7r(x) is estimated by Li(x) is 0(x^ 2 log x). 

Many mathematicians believe the Riemann hypothesis is true, particularly because of 
the wealth of evidence supporting it. First, a vast amount of numerical evidence has been 
found. We now know that the first 2.5 x 10 11 zeros (in order of increasing imaginary parts) 
have real part equal to 1/2. (These computations were done by Sebastian Wedeniwski, who 
has set up a distributed computing project to carry them out called ZetaGrid). Second, we 
know that at least 40% of the nontrivial zeros of the zeta function are simple and have real 
part equal to 1/2. Third, we know that if there are exceptions to the Riemann hypothesis, 
they must be rare as we move away from the line Re(s) = 1/2. Of course, it is still possible 
that this evidence is misleading us and that the Riemann hypothesis is not true. Perhaps this 
famous problem will be resolved in the next few years, or maybe it will resist all attacks 
for hundreds of years into the future. For more information about the Riemann hypothesis, 
consult [EdO 1 ] and the online essay by Enrico Bombieri on the Web site for the Clay Institute 
Millenium Prize Problems. 
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It is not necessary to find all primes not exceeding x to compute jz(x). One way to 
evaluate 7t(x) without finding all the primes less than x is to use a counting argument 
based on the sieve of Eratosthenes (see Exercise 18 in Section 3.1). Efficient ways of 
computing tt(x) requiring only O (x^ 5 ^ +e ) bit operations have been devised by Lagarias 
and Odlyzko [LaOd82]. The world record is currently held by Tomas Oliveira e Silva, 
who was able to compute 7r(10 23 ) = 1,925,320,391,606,803,968,923 in 2008. 

How big is the nth prime? From the prime number theorem, we know that that 
n = ji ( p n ) ~ p n / log p n . Because taking logarithms of both sides of an asymptotic 
formula maintains the asymptotic relationship, we find that log n ~ log(p M / log p n ) = 
log p n — log log p n ~ log p n . Consequently, p n ~ n log p n ~ n log n. We state this fact 
as a corollary. 

Corollary 3.4.1. Let p n be the nth prime, where n is a positive integer. Then p n ~ 
n log n. That is, the nth prime is asymptotic to log n. 

What is the probability that a randomly selected positive integer is prime? Given that 
there are approximately x/log x primes not exceeding x, the probability that x is prime 
is approximately (x/ log x)/x = 1/ log x. For example, the probability that an integer 
near lO 1000 is prime is approximately 1/log lO 1000 ~ 1/2302. Suppose that you want to 
find a prime with 1000 digits; what is the expected number of integers you must select 
before you find a prime? The answer is that you must select roughly 1/(1/2302) = 2302 
integers of this size before one of them will be a prime. Of course, you will need to check 
each one to determine whether it is prime. In Chapter 6, we will discuss how this can be 
done efficiently. 

Gaps in the Distribution of Primes We have shown that there are infinitely many 
primes and we have discussed the abundance of primes below a given bound x, but we 
have yet to discuss how regularly primes are distributed throughout the positive integers. 
We first give a result that shows that there are arbitrarily long runs of integers containing 
no primes. 


One of the Largest Numbers Ever Appearing Naturally in a Proof 
Using the data in Table 3. 1, we can show that for all x in the table, the difference Li(x) — 
tt(x) is positive and increases as x grows. Gauss, who only had access to the data in the 
first few rows of this table, believed this trend held for all positive integers x. However, 
in 1914, the English mathematician J. E. Littlewood showed that Li(x) — n(x) changes 
sign infinitely many times. In his proof, Littlewood did not establish a lower bound for 
the first time that Li(x) — n(x) changes from positive to negative. This was done in 1933 
by Samuel Skewes, a student of Littlewood’s, who managed to show that Li(x) — 7 r(x) 
changes signs for at least one x with x < 10 10 , a humongous number. This number, 

known as Skewes’ constant, became famous as the largest number to appear naturally in a 
mathematical proof. Fortunately, in the past seven decades, considerable progress has been 
made in reducing this bound. The best current results show that Li(x) — n(x) changes sign 
nearx = 1.39822 x 10 316 . 
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Theorem 3.5. For any positive integer n, there are at least n consecutive composite 
positive integers. 

Proof. Consider the n consecutive positive integers 

(n + 1) ! + 2, (n + 1) ! + 3, (n + l)! + » + l. 

When 2 < j < n + 1, we know that j \ (n + 1)!. By Theorem 1.9 it follows that j \ 
(n + 1) ! + j. Hence, these n consecutive integers are all composite. ■ 

Example 3.4. The seven consecutive integers beginning with 8 ! + 2 = 40,322 are 
all composite. (However, these are much larger than the smallest seven consecutive 
composites, 90, 91, 92, 93, 94, 95, and 96.) ◄ 

Conjectures About Primes 

Professional and amateur mathematicians alike find the prime numbers fascinating. It is 
not surprising that a tremendous variety of conjectures have been formulated concerning 
prime numbers. Some of these conjectures have been settled, but many still elude 
resolution. We will describe some of the best known of these conjectures here. 

Looking at tables of primes led mathematicians in the first half of the nineteenth 
century to make conjectures that the distribution of primes satisfies some basic properties, 
such as this following conjecture. 

Bertrand’s Conjecture. In 1845, the French mathematician Joseph Bertrand conjec- 
tured that for every positive integer n with n > 1, there is a prime p such that n < p <2n. 
Bertrand verified this conjecture for all n not exceeding 3,000,000, but he could not pro- 
duce a proof. The first proof of this conjecture was found by Pafnuty Lvovich Chebyshev 
in 1852. Because this conjecture has been proved, it is often called Bertrand’s postulate. 
(See Exercises 22-24 for an outline of a proof.) 

Theorem 3.5 shows that the gap between consecutive primes is arbitrarily long. On 
the other hand, primes may often be close together. The only consecutive primes are 2 


JOSEPH LOUIS FRANCOIS BERTRAND (1822-1900) was bom in Paris. 
He studied at the Ecole Polytechnique from 1839 until 1841 and at the Ecole des 
Mines from 1841 to 1844. Instead of becoming a mining engineer, he decided 
to become a mathematician. Bertrand was appointed to a position at the Ecole 
Polytechnique in 1 856, and, in 1 862, he also became professor at the College 
de France. In 1845, on the basis of extensive numerical evidence in tables of 
primes, Bertrand conjectured that there is at least one prime between n and In 
for every integer n with n > 1. This result was first proved by Chebyshev in 1 852. 
Besides working in number theory, Bertrand worked on probability theory and differential geometry. 
He wrote several brief volumes on the theory of probability and on analyzing data from observations. 
His book Calcul des probabilities, written in 1888, contains a paradox on continuous probabilities 
now known as Bertrand’s paradox. Bertrand was considered to be kind at heart, extremely clever, and 
full of spirit. 
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and 3, because 2 is the only even prime. However, many pairs of primes differ by two; 
these pairs of primes are called twin primes. Examples are the pairs 3, 5 and 7, 1 1 and 
13, 101 and 103, and 4967 and 4969. 

Evidence seems to indicate that there are infinitely many pairs of twin primes. There 
are 35 pairs of twin primes less than 10 3 ; 8169 pairs less than 10 6 ; 3,424,506 pairs less 
than 10 9 ; and 1,870,585,220 pairs less than 10 12 . This leads to the following conjecture. 


Twin Prime Conjecture. There are infinitely many pairs of primes p and p + 2. 


In 1966, Chinese mathematician J. R. Chen showed, using sophisticated sieve 
methods, that there are infinitely many primes p such that p + 2 has at most two prime 
factors. An active competition is under way to produce new largest pairs of twin primes. 
The current record for the largest pair of twin primes is 2,003,663,613 • 2 195,000 ± 1, a 
pair of primes with 58,71 1 digits each discovered in 2007. 


The twin prime conjecture asserts that infinitely many primes occur as pairs of 
consecutive odd numbers . However, consecutive primes may be far apart A con sequence 
of the prime number theorem is that as n grows, the average gap between the consecutive 
primes p n and p n+ i is log p n . Number theorists have worked hard to prove results 
that show that the gaps between consecutive primes are much smaller than average 
for infinitely many primes. In 2005, a breakthrough was made by Daniel Goldston, 
Janos Pintz, and Cem Yildrim. They showed that for every positive number c, there 
are infinitely many pairs of consecutive primes p n and p n+1 that differ less than c times 
log p n , the average distance between consecutive primes. They also showed that under 
the assumption of a conjecture known as the Elliott-Halberstam conjectures, there are 
infinitely pairs of primes within 16 of each other. 

Viggo Bran showed that the sum P with p +2 prime j = 0/3 + 1/5) + 

(1/5 + 1/7) + (1/11 + 1/13) H converges to a constant called Brun 's constant, which 

is approximately equal to 1.9021605824. Surprisingly, the computalion of Bran’s con- 
stant has played a role in discovering flaws in Intel’s original Pentium chip, hi 1994, 
Thomas Nicely at Lynchburg College in Virginia computed Bran’s constant in two dif- 
ferent ways using different methods on a Pentium PC and came up with different answers. 
He traced the error back to a flaw in the Pentium chip and he alerted Intel to this problem. 
(See the box on page 89 for more information about Nicety’s discovery.) 


B r -* JING RUN CHEN (1933-1996) was a student of the prominent Chinese num- 

ber theorist Loo Keng Hua. Chen was almost entirely devoted to mathematical 
research. During the Cultural Revolution in China, he continued his research, 
working almost all day and night in a tiny room with no electric lights, no table or 
chairs, only a small bed, and his books and papers. It was during this period that 
he made his most important discoveries concerning twin primes and Goldbach’s 
*{|| conjecture. Although he was a mathematical prodigy, Chen was considered to 
be next to hopeless in other aspects of life. He died in 1996 after a long illness. 
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The ErdSs Conjecture on Arithmetic Progressions of Primes. For every positive 
integer n > 3, there is an arithmetic progression of primes of length n. 

This conjecture most likely dates back more than a century; it was discussed by 
Paul ErdSs in the 1930s. Although much numerical evidence was found to support this 
conjecture, it remained unsettled for many years. 

Example 3.5. The sequence 5, 1 1, 17, 23, 29 is an arithmetic progression of five primes 
and the sequence 199, 409, 619, 829, 1039, 1249, 1459, 1669, 1879, 2089isan arithmetic 
progression of ten primes, as the reader should verify. ◄ 

The Dutch mathematician Johannes van der Corput (1890-1971) made some 
progress on this conjecture when he showed in 1939 that there are infinitely many arith- 
metic progressions of three primes. In a major breakthrough, Ben Green and Terrence 
Tao were able to prove this conjecture in 2006. They began by attempting to show that 
there are infinitely many arithmetic progressions of four primes, but were able to prove 
the full conjecture, which is now known as the Green-Tao Theorem. Their proof, con- 
sidered to be a mathematical tour de force, is a nonconstructive existence proof that 
combines ideas from several different areas of mathematics, including analytic number 
theory and ergodic theory. Because it is nonconstructive, it cannot be used to construct 


TERRENCE TAO (born 1975) was bom in Australia; His parents immigrated 
there from Hong Kong. His father is a pediatrician and his mother taught 
mathematics at a Hong Kong secondary school. Tao was a child prodigy. He 
taught himself arithmetic at the age of two. At 10, he became the youngest 
contestant at the International Mathematics Olympiad (IMO), later winning 
an IMO gold medal when he was 13. At 17, Tao received his bachelors and 
masters degrees and began graduate studies at Princeton University, receiving 
his Ph.D. in three years. In 1996, he became a faculty member at the University 
of California, Los Angeles, where he continues to work. 

Tao is an extremely versatile mathematician who enjoys working on problems in diverse areas, 
including harmonic analysis, partial differential aquations, number theory, and combinatorics. You can 
follow his work by reading his blog, which discusses progress on various problems. His most famous 
result is the Grecn-Tao Theorem, which tells that there are arbitrarily long arithmetic progressions 
of primes. Besides working in pure mathematics, Tao has made important contributions to the 
applications of mathematics. For example, he has made key contributions to the area of compressive 
sampling, which involves the reconstruction of digital images using the least possible information. 

Tao has an amazin g reputation among mathematicians ; he has become a Mr. Fix-It for researchers 
in mathematics. The well-known mathematician Charles Fefferman, hims elf a child prodigy, has said, 
“If you’re stuck on a problem, then one way out is to interest Terence Tao.” In 2006, Tao was awarded 
a Fields Medal, the most prestigious award for mathematicians under the age of 40. He was also 
awarded a Mac Arthur Fellowship in 2006, and in 2008 he received the Allan T. Waterman award, 
which came with a $500,000 cash prize to support research work of scientists early in their career. 

Tao’s wife, Laura, is an engineer at the Jet Propulsion Laboratory. 
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examples of arithmetic progressions of specified length. The Green-Tao theorem estab- 
lishes a special case of a more general conjecture that Paul Erdos made in the 1930s, 
namely, that if the sum of the reciprocals of the elements of a set A of positive integers 
diverges, then A contains arbitrarily long arithmetic progressions. This more general 
conjecture remains unsettled. 

We now discuss perhaps the most notorious conjecture about primes. 

Goldbach’s Conjecture. Every even positive integer greater than 2 can be written as the 
sum of two primes. 

Example 3.6. The integers 1 0, 24, and 100 can be written as the sum of two primes in 
the following ways: 

10 = 3 + 7 = 5 + 5, 

24 = 5 + 19 = 7+17=11 + 13, 

100 = 3 + 97 = 11 + 89 = 17 + 83 

= 29 + 71 = 41 + 59 = 47 + 53. M 

This conjecture was stated by Christian Goldbach in a letter to Leonhard Euler in 
1742 It has been verified by a distributed computing effort for all even integers less 
than 10 18 , with this limit increasing as computers become more powerful. Usually, there 
are many ways to write a particular even integer as the sum of primes, as Example 3.5 
illustrates. However, a proof that there is always at least one way has not yet been found. 
The best result known to date is due to J. R. Chen, who showed (in 1966), using powerful 
sieve methods, that all sufficiently large integers are the sum of a prime and the product 
of at most two primes. 

There are many conjectures concerning the number of primes of various forms, such 
as the following conjecture. 

The n 2 + 1 Conjecture. There are infinitely many primes of the form n 2 + 1, where n 
is a positive integer. 

The smallest primes of the form n 2 + 1 are 2 = l 2 + l 2 , 5 = 2 2 + 1, 17 = 4 2 + 1, 
37 = 6 2 + 1, 101 = 10 2 + 1, 197 = 14 2 + 1, 257 = 16 2 + 1, and 401 = 20 2 + 1. The best 


CHRISTIAN GOLDBACH (1690-1764) was bom in Konigsberg, Prussia (the city noted 
in mathematical circles for its famous bridge problem). He became professor of mathematics 
at the Imperial Academy of St. Petersburg in 1725. In 1728, Goldbach went to Moscow to 
tutor Tsarevich Peter n. In 1742, he entered the Russian Ministry of Foreign Affairs as a staff 
member. Goldbach is most noted for his correspondence with eminent mathematicians, in 
particular Leonhard Euler and Daniel Bernoulli. Besides his well-known conjectures that 
every even positive integer greater than 2 is the sum of two primes and that every odd 
positive integer greater than 5 is the sum of three primes, Goldbach made several notable 
contributions to analysis. 
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result known to date is that there are infinitely many integers n for which n 2 + 1 is 
either a prime or the product of two primes. This was shown by Henryk Iwaniec in 
1973. Conjectures such as the n 2 + 1 conjecture may be easy to state, but are sometimes 
extremely difficult to resolve (see [Ri96] for more information). 

We have discussed three of the four problems about primes described as “unattack- 
able by the present state of science” in 1912 by the famous number theorist Edmund 
Landau in his address at the International Congress of Mathematicians. These four prob- 
lems, known collectively as Landau’s problems, are Goldbach’s conjecture, the twin 
prime conjecture, the existence of infinitely many primes of the form n 2 + 1, and this 
conjecture of Legendre: 

The Legendre Conjecture. There is a prime between every two pairs of consecutive 
squares of integers. 


Pentium Chip Flaw 

The story behind the Pentium chip flaw encountered by Thomas Nicely shows that answers 
produced by computers should not always be trusted. A surprising number of hardware and 
software problems arise that lead to incorrect computational results. This story also shows 
that companies risk serious problems when they hide errors in their products. In June 1994, 
testers at Intel discovered that Pentium chips did not always carry out computations cor- 
rectly. However, Intel decided not to make public information about this problem. Instead, 
they concluded that because the error would not affect many users, it was unnecessary to 
alert the millions of owners of Pentium computers. The Pentium flaw involved an incor- 
rect implementation of an algorithm for floating-point division. Although the probability 
is low that divisions of numbers affected by this error come up in a computation, such di- 
visions arise in many computations in mathematics, science, and engineering, and even in 
spreadsheets running business applications. 

Later in that same month, Nicely came up with two different results when he used a 
Pentium computer to compute Brun’s constant in different ways. In October 1994, after 
checking all possible sources of computational error, Nicely contacted Intel customer sup- 
port. They duplicated his computations and verified the existence of an error. Furthermore, 
they told him that this error had not been previously reported. After not hearing any addi- 
tional information from Intel, Nicely sent e-mail to a few people telling them about this. 
These people forwarded the message to other interested parties, and within a few days, in- 
formation about the bug was posted on an Internet newsgroup. By late November, this story 
was reported by CNN, the New York Times, and the Associated Press. 

Surprised by the bad publicity, Intel offered to replace Pentium chips, but only for users 
running applications determined by Intel to be vulnerable to the Pentium division flaw. This 
offer did not mollify the Pentium user community. All the bad publicity drove Intel stock 
down several dollars a share and Intel became the object of many jokes, such as: “At Intel, 
quality is job 0.999999998.” Finally, in December 1994, Intel decided to offer a replacement 
Pentium chip upon request. They set aside almost half a billion dollars to cover costs, and 
they hired hundreds of extra employees to handle customer requests. Nevertheless, this story 
does have a happy ending for Intel. Their corrected and improved version of the Pentium 
chip was extremely successful. 
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This conjecture was proposed by the French mathematician Adrien-Marie Legendre 
(see Chapter 1 1 for his biography). Numerical evidence for this conjecture shows that 
there is a prime between n 2 and (n + l) 2 for all n < 10 18 . Note that Ingham has shown 
that for sufficiently large n, there is a prime between n 3 and (n + l) 3 . 

Although all four unsettled conjectures described by Landau in 1912 remain open, 
partial progress has been made on each. We may see one or more of them settled in the 
next few years. However, it may still be the case that all remain unsettled a century from 
now. 


3.2 Exercises 

1. Find the smallest five consecutive composite integers. 

2 . Find one million consecutive composite integers. 

3. Show that there are no “prime triplets,” that is, primes p, p + 2, and p + 4, other than 3, 5 , 
and 7. 

4 . Find the smallest four sets of prime triplets of the form p, p + 2, p + 6. 

5. Find the smallest four sets of prime triplets of the form p, p + 4, p + 6. 

6. Find the smallest prime between n and 2 n for these values of n. 

a) 3 b) 5 c) 19 d) 31 

7 . Find the smallest prime between n and 2 n for these values of n. 

a) 4 b) 6 c) 23 d) 47 

8. Find the smallest prime between n 2 and (n + l) 2 for all positive integers n with n < 10. 

9. Find the smallest prime between n 2 and ( n + l) 2 for all positive integers n with 1 1 < n < 20. 

* 10 . Show that there are infinitely many primes that are not one of the primes in a pair of twin 

primes. (Hint: Apply Dirichlet’s theorem.) 

* 11 . Show that there are infinitely many primes that are not part of a prime triple of the form p, 

p + 2, p + 6. (Hint: Apply Dirichlet’s theorem.) 

12 . Verify Goldbach’s conjecture for each of the following values of n. 

a) 50 c) 102 e) 200 

b) 98 d) 144 f) 222 

13. Goldbach also conjectured that every odd positive integer greater than 5 is the sum of three 
primes. Verify this conjecture for each of the following odd integers. 

a) 7 c) 27 e) 101 

b) 17 d) 97 f) 199 

14 . Show that every integer greater than 1 1 is the sum of two composite integers. 

15 . Show that Goldbach’s conjecture that every even integer greater than 2 is the sum of two 
primes is equivalent to the conjecture that every integer greater than 5 is the sum of three 
primes. 

16 . Let G(n ) denote the number of ways to write the even integer n as the sum p + q, where p 
and q are primes with p < q . Goldbach’s conjecture asserts that G (n) > 1 for all even integers 
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n with n >2. A stronger conjecture asserts that G(n) tends to infinity as the even integer n 
grows without bound. 

a) Find G(n) for all even integers n with 4 < n < 30. 

b) Find G(158). c) Find G(188). 

* 17. Show that if n and k are positive integers with n > 1 and all n positive integers a, a + 

k, a + (n — l)fc are odd primes, then k is divisible by every prime less than n. 

Use Exercise 17 to help you solve Exercises 18-21. 

18. Find an arithmetic progression of length six that begins with the integer 7 and where every 
term is a prime. 

19. Find the smallest possible minimum difference for an arithmetic progression that contains 
four terms and where every term is a prime. 

20. Find the smallest possible minimum difference for an arithmetic progression that contains 
five terms and where every term is a prime. 

* 21. Find the smallest possible minimum difference for an arithmetic progression that contains 

six terms and where every term is a prime. 

22. a) In 1848, A. de Polignac conjectured that every odd positive integer is the sum of a 
prime and a power of two. Show that this conjecture is false by showing that 509 is a 
counterexample. 

b) Find the next smallest counterexample after 509. 

* 23. A prime power is an integer of the form p n , where p is prime and n is a positive integer greater 

than 1. Find all pairs of prime powers that differ by 1. Prove that your answer is correct. 

* 24. Let n be a positive integer greater than 1 and let p h p 2 , . . . ,p t be the primes not exceeding 

n. Show that p\p 2 • • • p t < 4”. 

* 25. Let n be a positive integer greater than 3 and let p be a prime such that 2n/3 < p <n. Show 

that p does not divide the binomial coefficient ^ 2 ” ^ . 

* * 26. Use Exercises 24 and 25 to show that if n is a positive integer, then there exists a prime p 
such that n < p < 2n. (This is Bertrand’s conjecture .) 

27. Use Exercise 26 to show that if p n is the nth prime, then p n < 2". 

28. Use Bertrand’s conjecture to show that every positive integer n with n > 7 is the sum of 
distinct primes. 

29. Use Bertrand’s postulate to show that £ + ^ + • • • + does not equal an integer when 
n and m are positive integers. 

* 30. In this exercise, we show that if n is an integer with n > 4, then P n + 1 < P\P 2 • • • p n , where 

p k is the kth prime. This result is known as Bonse’s inequality. 

a) Let I be a positive integer. Show that none of the integers p\p 2 • • • p k ~\ -1—1, 
P\Pi ' ' ' Pk- 1 -2-1, . . ■ , p\p 2 • • • Pk- 1 • p k — 1 is divisible by one of the first k— 1 
primes and that if a prime p divides one of these integers, then it cannot divide another 
of these integers. 

b) Conclude from part (a) that if n — k + 1 < p k , then there is an integer among those listed 
in part (a) not divisible by pj for j = 1, ... , n. (Hint: Use the pigeonhole principle.) 

c) Use part (b) to show that if n — k + 1 < p k , then p n+l < p\p 2 • • • p k - Fix n and suppose 
that k is the least positive integer such that n — k + 1 < p k . Show that n — k> p k _\ — 2 
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and that p k _ x -2 >k when k>5 and that if n > 10, then k> 5. Conclude that if n > 20, 
then p( M+ 1 ) < P 2 P 2 • • • Pk for some k with n — k>k. Use this to derive Bonse’s inequality 
when n > 10. 

d) Check the cases when 4 < n < 10 to finish the proof. 

31. Show that 30 is the largest integer n with the property that if k < n and there is no prime p 
that divides both k and n, then k is prime. (Hint: Show that if n has this property and n> p 2 
where p is prime, then p \ n. Conclude that if n > l 2 , then n must be divisible by 2, 3, 5, 
and 7. Apply Bonse’s inequality to show that such an n must be divisible by every prime, a 
contradiction. Show that 30 has the desired property, but no n with 30 < n < 49 does.) 

32. Show that p n+ \p n+2 < Pi • P 2 ' " Pn> where p k is the &th prime whenever n is an integer with 
n > 4. (Hint: Use Bertrand’s postulate and the work done in part (c) of the proof of Bonse’s 
inequality.) 

33. Show that p 2 < P n -\Pn- 2 Pn- 3 ’ where p k is the kth prime number and n > 6. Also, show 
that inequality does not hold when n = 3, 4, or 5. (Hint: Use Bertrand’s postulate to obtain 
p n < 2 p n _ x and p n _ x < 2 p n _ 2 .) 

34. Show that for every positive integer N there is an even number K so that there are more than 
N pairs of successive primes such that K is the difference between these successive primes. 
(Hint: Use the prime number theorem.) 

35. Use Corollary 3.4.1 to estimate the millionth prime. 

Computations and Explorations 

1. Verify as much of the information given in Table 3.1 as you can. 

2. Find as many terms as you can of the sequence of prime gaps d n ,n = 1, 2, ... . 

3. Find as many tuples of primes of the form p, p + 2, and p + 6 as you can. 

4. Verify Goldbach’s conjecture for all even positive integers less than 10,000. 

5. Find all twin primes less than 10,000. 

6. Find the first pair of twin primes greater than each of the integers in Computation 1 . 

7. Plot tt 2 (x), the number of twin primes not exceeding x, for 1 < x < 1000 and 1 < x < 10,000. 

8. Hardy and Littlewood conjectured that n 2 (x), the number of twin primes not exceeding x, 

is asymptotic to 2C 2 x/(logx) 2 where C 2 = ["^> 2(1 — The constant C 2 is approx- 

imately equal to 0.66016. Determine how accurate this asymptotic formula for n 2 (x) is for 
values of x as large as you can compute. 

9. Compute Brun’s constant with as much accuracy as possible. 

10. Explore the conjecture that G(n), the number of ways the even integer n is the sum p + q, 
of primes p <q, satisfies G(n) > 10 for all even integers n > 188. 

11. An unsettled conjecture asserts that for every positive integer n, there is an arithmetic pro- 
gression of length n consisting of n consecutive prime numbers. The longest such arithmetic 
progression currently known consists of 22 consecutive primes. Find arithmetic progressions 
consisting of three consecutive primes with all primes less than 100 and four consecutive 
primes with all primes less than 500. 

12. Show that all terms of the arithmetic progression of length five that begins with 1,464,481 
and has common difference 210 are prime. 
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13. Show that all terms of the arithmetic progression of length twelve that begins with 23,143 
and has common difference 30,030 are prime. 

14. Find an arithmetic progression containing ten primes that begins with 199. 

15. Andrica’s conjecture, named after Dorin Adrica, claims that A n = *Jp n+ \ — < 1 for all 

positive integers n, where p n denotes the nth prime. Gather evidence for this conjecture by 
computing A n for as many positive integers n as you can. From your work, make a conjecture 
about the largest value of A n . 

16. Verify Legendre’s conjecture for n = 1000, n = 10,000, n = 100,000, and n = 1,000,000. 

17. Explore the conjecture that every even integer is the sum of two, not necessarily distinct, 
lucky numbers. Continue by exploring the conjecture that given a positive integer k, there is 
a positive integer n that can be expressed as the sum of two lucky numbers in exactly k ways. 

Programming Projects 

1. Given a positive integer n, verify Goldbach’s conjecture for all even integers less than n. 

2. Given a positive integer n, find all twin primes less than n. 

3. Given a positive integer m, find the first m primes of the form n 2 + 1, where n is a positive 
integer. 

4. Given an even positive integer n, find G(n), the number of ways to write n as the sum p + q, 
where p and q are primes with p <q. 

5. Given a positive integer n, find as many arithmetic progressions of length n, where every 
term is a prime. 


3.3 Greatest Common Divisors and their Properties 

We introduced the concept of the greatest common divisor of two integers in Section 1 .5. 
Recall that the greatest common divisor of two integers a and b not both 0, denoted by 
(a, b ), is the largest integer that divides both a and b. We also specified that (0, 0) = 0 to 
ensure that results we prove about greatest common divisors hold in all cases. In Section 
1.5, we stated that two integers are called relatively prime if they share no common 
divisor greater than 1. 

Note that since the divisors of —a are the same as the divisors of a, it follows that 
(a, b) = (|a|, \b\) (where \a\ denotes the absolute value of a, which equals a if a > 0 
and —a if a < 0). Hence, we can restrict our attention to the greatest common divisors 
of pairs of positive integers. 

In Example 1.37, we noted that (15, 81) = 3. If we divide 15 and 81 by (15, 81) = 3, 
we obtain two relatively prime integers, 5 and 27. This is no surprise, because we have 
removed all common factors. This illustrates the following theorem, which tells us that 
we obtain two relatively prime integers when we divide each of two original integers by 
their greatest common divisor. 
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Theorem 3.6. If a and b be integers with ( a , b ) = d, then (a/d, b/d ) = 1. (In other 
words, a/d and b/d are relatively prime.) 

Proof. Let a and b be integers with ( a , b) = d. We will show that a/d and b/d have 
no common positive divisors other than 1. Assume that e is a positive integer such that 
e | (a/d) and e \ (b/d). Then there are integers k and l with a/d = ke and b/d = le, 
so that a = dek and b = del. Hence, de is a common divisor of a and b. Because d 
is the greatest common divisor of a and b, de < d, so that e must be 1. Consequently, 
(a/d, b/d) = 1. m 

A fraction p /q where (p , q) = 1 is said to be in lowest terms. The following corollary 
tells us that every fraction equals a fraction in lowest terms. 

Corollary 3.6.1. If a and b 7 ^ 0 are integers, then a/b = p/q for some integers p and 
q 7^0 where (p, q) = 1 . ■ 

Proof. Suppose that a and b 7 ^ 0 are integers. Set p = a/d and q = b/d where d = 
(a, b). Then p/q = (a/d)/(b/d) = a/b. Theorem 3.6 tells us that (p, q) = \ proving 
the corollary. 

We do not change the greatest common divisor of two integers when we add a 
multiple of one of the integers to the other. In Example 3.6, we showed that (24, 84) = 12. 
When we add any multiple of 24 to 84, the greatest common divisor of 24 and the resulting 
number is still 12. For example, since 2 • 24 = 48 and (—3) • 24 = —72, we see that 
(24, 84 + 48) = (24, 132) = 12 and (24, 84 + (-72)) = (24, 12) = 12. The reason for 
this is that the common divisors of 24 and 84 are the same as the common divisors of 
24 and the integer that results when a multiple of 24 is added to 84. The proof of the 
following theorem justifies this reasoning. 

Theorem 3.7. Let a, b, and c be integers. Then (a + cb, b) = (a, b). 

Proof. Let a, b, and c be integers. We will show that the common divisors of a and 
b are exactly the same as the common divisors of a + cb and b. This will show that 
(a + cb, b) = (a, b). Let e be a common divisor of a and b. By Theorem 1.9, we see that 
e | (a + cb), so that e is a common divisor of a + cb and b. If / is a common divisor of 
a + cb and b, then by Theorem 1.9, we see that / divides (a + cb) — cb = a, so that / 
is a common divisor of a and b. Hence, (a + cb, b) = (a, b). m 

We will show that the greatest common divisor of the integers a and b, not both 0, 
can be written as a sum of multiples of a and b. To phrase this more succinctly, we use 
the following definition. 

Definition. If a and b are integers, then a linear combination of a and b is a sum of 
the form ma + nb, where both m and n are integers. 

Example 3.7. What are the linear combinations 9 m + 15n, where m and n are both in- 
tegers? Among these combinations are -6 = 1 • 9 + (- 1) • 15; -3 = (—2)9 + 1 • 15; 0 = 
0 • 9 + 0 • 15; 3 = 2 • 9 + (— 1) • 15; 6 = (- 1) • 9 + 1 • 15; and so on. It can be shown that 
the set of all linear combinations of 9 and 15 is the set {. . . , — 12, —9, — 6 , —3, 0, 3, 6 , 9, 
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12, . . .}, as the reader should verify after reading the proofs of the following two theo- 
rems. ◄ 


In Example 3.8, we found that (9, 15) = 3 appears as the smallest positive linear 
combination with integer coefficients of 9 and 15. This is no accident, as the following 
theorem demonstrates. 

Theorem 3.8. The greatest common divisor of the integers a and b, not both 0, is the 
least positive integer that is a linear combination of a and b. 

Proof. Let d be the least positive integer that is a linear combination of a and b. (There 
is a least such positive integer, using the well-ordering property, since at least one of two 
linear combinations 1 • a + 0 • b and (— l)a + 0 • b, where a 0, is positive.) We write 

(3.1) d =ma + nb, 

where m and n are integers. We will show that d \ a and d \ b. 

By the division algorithm, we have 

a =dq + r, 0 <r < d. 

From this equation and (3.1), we see that 

r=a — dq=a — q(ma + nb) = (1 - qm)a - qnb. 

This shows that the integer r is a linear combination of a and b. Because 0 <r <d, and 
d is the least positive linear combination of a and b, we conclude that r = 0, and hence 
d | a. In a similar manner, we can show that d \ b. 

We have shown that d, the least positive integer that is a linear combination of 
a and b, is a common divisor of a and b. What remains to be shown is that it is the 
greatest common divisor of a and b. To show this, all we need show is that any common 
divisor c of a and b must divide d, since any proper positive divisor of d is less than d. 
Because d = ma + nb, if c \ a and c \ b, Theorem 1.9 tells us that c \ d, so that d > c. 
This concludes the proof. ■ 

From Theorem 3.8, we immediately see that the greatest common divisor of two 
integers a and b can be written as a linear combination of these integers. (Note that 
the theorem tells us not only that (a, b ) can be written as a linear combination of these 
numbers, but also that it is the least such positive integer. Because this is such an important 
fact, we state it explicitly as a corollary. 

Corollary 3.8.1 Bezout’s Theorem. If a and b are integers, then there are integers m 
and n such that ma +nb = (a, b ). 

Corollary 3.8.1 is called Bezout’s theorem after Etienne Bezout, a French mathe- 
matician of the eighteenth century who proved a more general result about polynomials. 
Even though this corollary is known as Bezout’s theorem, it had been established for in- 
tegers many years earlier by Claude Gaspar Bachet (see Chapter 13 for his biography). 
The equation ma +nb = (a, b) is known as Bezout’ s identity, and any integers m and n 
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that solve this equation for given integers a and b are called Bezout coefficients or Bezout 
numbers of the pair of integers a and b. 

Example 3.8. Note that (4, 10) = 2 because 1 and 2 are the only positive common 
divisors of 4 and 10. The equation (-2) • 4 + 1 • 10 = 2 shows that -2 and 1 are Bezout 
coefficients of 4 and 10. Because 8*4+ (-3) -10 = 2, we see that 8 and -3 are also 
Bezout coefficients of 4 and 10. In fact, there are infinitely many different Bezout 
coefficients for 4 and 10 because -2 + lOf and 1 + ( — 4)f are Bezout coefficients of 
4 and 10 for every integer t . ◄ 

Because we will often need to apply Corollary 3.8.1 in the case where a and b 
are relatively prime integers, we call out this special case as a second corollary of 
Theorem 3.8. 

Corollary 3.8.2. The integers a and b are relatively prime integers if and only if there 
are integers m and n such that ma +nb= 1. 

Proof. To prove this corollary, note that if a and b are relatively prime, then (a, b ) = 1. 
Consequently, by Theorem 3.8, 1 is the least positive integer that is a linear combination 
of a and b. It follows that there are integers m and n such that ma + nb= 1. Conversely, 
if there are integers m and n with ma +nb = 1, then by Theorem 3.8, it immediately 


ETIENNE BEZOUT (1730-1783) was bom inNemours, France, where his fa- 
ther was a magistrate. His parents wanted him to follow in his father’s footsteps. 
However, he was enticed to become a mathematician by reading the writings of 
the great mathematician Leonhard Euler. Bdzout published a series of research 
papers beginning in 1756, including several on integration. In 1758, he was ap- 
pointed to a position at the Academic des Sciences in Paris; in 1763, he was 
appointed examiner of the Gardes de la Marine, where he was assigned die task 
of writing mathematics textbooks. This assignment lead to a four-volume text- 
book completed in 1767. In 1768, B£zout was appointed examiner of die Corps d’Artillerie; he was 
promoted to higher positions in 1768 and in 1770. He is well known for his six-volume comprehen- 
sive textbook on mathematics published between 1770 and 1782. B6zout’s textbooks were extremely 
popular. In particular, his textbooks were studied by several generations of students who hoped to 
enter the ficole Polytechnique, the famous engineering and science school founded in 1794. These 
books were translated into English and used in North America, including at Harvard. 

His most important original work was published in 1779 in the book Thiorie generate des 
equations algebriques, where he introduced important methods for solving simultaneous polynomial 
equations in many unknowns. The most well-known result in this book is now called Bizout’s 
Theorem , which in its general form tells us that the number of common points on two-plane algebraic 
curves equals the product of the degrees of these curves. Bdzout is also credited with inventing 
the determinant (which was called the Bezoutian by the great English mathematician James Joseph 
Sylvester). 

Bezout was considered to be a Und person with a warm heart, although he had a reserved and 
somber personality. He was happily married and a father. 
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follows that (a, b) = 1. This follows because not both a and b are zero and 1 is clearly 
the least positive integer that is a linear combination of a and b. m 

Theorem 3.8 is valuable: We can obtain results about the greatest common divisor 
of two integers using the fact that the greatest common divisor is the least positive linear 
combination of these integers. Having different representations of the greatest common 
divisor of two integers allows us to choose the one that is most useful for a particular 
purpose. This is illustrated in the proof of the following theorem. 

Theorem 3.9. If a and b are positive integers, then the set of linear combinations of a 
and b is the set of integer multiples of (a, b). 

Proof. Suppose that d = (a, b). We first show that every linear combination of a and b 
must also be a multiple of d. First note that by the definition of greatest common divisor, 
we know that d \ a and d \ b. Now every linear combination of a and b is of the form 
ma + nb, where m and n are integers. By Theorem 1.9, it follows that whenever m and 
m are integers, d divides ma + nb. That is, ma + nb is a multiple of d. 

We now show that every multiple of d is also a linear combination of a and b. By 
Theorem 3.8, we know that there are integers r and s such that (a, b) = ra + sb. The 
multiples of d are the integers of the form jd, where j is an integer. Multiplying both 
sides of the equation d = ra + sb by j, we see that jd = ( jr)a + ( js)b . Consequently, 
every multiple of d is a linear combination of a and b. This completes the proof. ■ 

We have defined greatest common divisors using the notion that the integers are 
ordered. That is, given two distinct integers, one is larger than the other. However, we 
can define the greatest common divisor of two integers without relying on this notion of 
order, as we do in Theorem 3.10. This characterization of the greatest common divisor of 
two integers not depending on ordering is generalized in the study of algebraic number 
theory to apply to what are known as algebraic number fields. 

Theorem 3.10. If a and b are integers, not both 0, then a positive integer d is the 
greatest common divisor of a and b if and only if 

(i) d | a and d \ b, and 

(ii) if c is an integer with c \ a and c \ b, then c \ d. 

Proof. We will first show that the greatest common divisor of a and b has these two 
properties. Suppose that d = (a, b). By the definition of common divisor, we know that 
d | a and d\b.By Theorem 3.8, we know that d = ma + nb, where m and n are integers. 
Consequently, if c \ a and c \ b, then by Theorem 1.9, c \ d = ma + nb. We have now 
shown that if d = (a, b), then properties (i) and (ii) hold. 

Now assume that properties (i) and (ii) hold. Then we know that d is a common 
divisor of a and b. Furthermore, by property (ii), we know that if c is a common divisor 
of a and b, then c \ d, so that d = ck for some integer k. Hence, c = d/k < d. (We 
have used the fact that a positive integer divided by any nonzero integer is less than that 
integer.) This shows that a positive integer satisfying (i) and (ii) must be the greatest 
common divisor of a and b. m 
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Note that Theorem 3.10 tells us that the greatest common divisor of two integers a 
and b, not both 0, is the positive common divisor of these integers that is divisible by all 
other common divisors. 

We have shown that the greatest common divisor of a and b, not both 0, is a 
linear combination of a and b. However, we have not explained how to find a particular 
linear combination of a and b that equals (a, b). In the next section, we will provide an 
algorithm that finds a particular linear combination of a and b that equals (a, b). 

We can also define the greatest common divisor of more than two integers. 

Definition. Let aq, a 2 , . . . , a n be integers, not all 0. The greatest common divisor of 
these integers is the largest integer that is a divisor of all of the integers in the set. The 
greatest common divisor of aq, a 2 , ... ,a n is denoted by (aq, a 2 , ... , a n ). (Note that the 
order in which the a,-’ s appear does not affect the result.) 

Example 3.9. We easily see that (12, 18, 30) = 6 and (10, 15, 25) = 5. ◄ 

We can use the following lemma to find the greatest common divisor of a set of more 
than two integers. 

Lemma 3.2. If aq, a 2 , ... ,a n are integers, not all 0, then (aq, a 2 , ... , a n _ h a n ) = 
(a h a 2 , ..., a n _ 2 , (a n _ h a n )). 

Proof. Any common divisor of the n integers aq, a 2 , ... , a n _ h a n is, in particular, a 
divisor of a n _i and a n , and therefore a divisor of (a n _ h a n ). Also, any common divisor 
of the n — 1 integers aq, a 2 , ... , a n _ 2 , and (a n _ h a n ) must be a common divisor of all 
n integers, for if it divides (a n _ h a n ), then it must divide both a n _i and a n . Because the 
set of n integers and the set of the first n — 2 integers together with the greatest common 
divisor of the last two integers have exactly the same divisors, their greatest common 
divisors are equal. ■ 

Example 3.10. To find the greatest common divisor of the three integers 105, 140, and 
350, we use Lemma 3.2 to see that (105, 140, 350) = (105, (140, 350)) = (105, 70) = 
35. ◄ 

Example 3.11. Consider the integers 15, 21, and 35. We find that the greatest common 
divisor of these three integers is 1 using the following steps: 

(15, 21, 35) = (15, (21, 35)) = (15, 7) = 1. 

Each pair among these integers has a common factor greater than 1, because (15, 21) = 3, 
(15, 35) = 5, and (21, 35) =7. ◄ 

Example 3.1 1 motivates the following definition. 

Definition. We say that the integers aq, a 2 , . . . , a n are mutually relatively prime if 
(aq, a 2 , , a n ) = 1. These integers are called pairwise relatively prime if, for each pair 
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of integers a t and a j with i 7^ j from the set, (a,-, <Zj) = 1; that is, if each pair of integers 
from the set is relatively prime. 

The concept of pairwise relatively prime is used much more often than the concept 
of mutually relatively prime. Also, note that pairwise relatively prime integers must be 
mutually relatively prime, but that the converse is false (as the integers 15, 21 , and 35 in 
Example 3.11 show). 


.3 Exercises 

1. Find the greatest common divisor of each of the following pairs of integers. 

a) 15, 35 c)-12, 18 e) 11, 121 

b) 0,111 d) 99, 100 f) 100, 102 

2. Find the greatest common divisor of each of the following pairs of integers. 

a) 5, 15 c) -27, -45 e) 100, 121 

b) 0, 100 d) -90, 100 f) 1001, 289 

3. Let a be a positive integer. What is the greatest common divisor of a and 2a? 

4. Let a be a positive integer. What is the greatest common divisor of a and a 2 ? 

5. Let a be a positive integer. What is the greatest common divisor of a and a + 1? 

6. Let a be a positive integer. What is the greatest common divisor of a and a + 2? 

7. Show that the greatest common divisor of two even numbers is even. 

8 . Show that the greatest common divisor of an even number and an odd number is odd. 

9. Show that if a and b are integers, not both 0, and c is a nonzero integer, then ( ca , cb) = 
\c\(a, b). 

10. Show that if a and b are integers with ( a,b) = 1, then (a + b, a - b) = 1 or 2. 

11. What is (a 2 + b 2 , a + b ), where a and b are relatively prime integers that are not both 0? 

12. Show that if a and b are both even integers that are not both 0, then (a, b ) = 2(a/2, b/2). 

13. Show that if a is an even integer and b is an odd integer, then (a, b) = (a/2, b). 

14. Show that if a, b, and c are integers such that (a , b) = 1 and c | (a + b), then (c, a) = (c, b) = 
1. 

15. Show that if a, b, and c are mutually relatively prime nonzero integers, then (a, be) = 
(a, b)(a, c). 

16. a) Show that if a, b, and c are integers with (a, b ) = (a, c) = 1, then (a, be) = 1. 

b) Use mathematical induction to show that if a h a 2 , ... ,a n are integers, and b is another 
integer such that (a h b) = ( a 2 , b) = • • • = (a„, b) = 1 , then (a t a 2 • • • a„, b) = 1 . 

17. Find a set of three integers that are mutually relatively prime, but any two of which are not 
relatively prime. Do not use examples from the text. 

18. Find four integers that are mutually relatively prime such that any three of these integers are 
not mutually relatively prime. 
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19. Find the greatest common divisor of each of the following sets of integers. 

a) 8, 10, 12 c) 99, 9999, 0 e) -7, 28, -35 

b) 5, 25, 75 d) 6, 15, 21 f) 0, 0, 1001 

20. Find three mutually relatively prime integers from among the integers 66, 105, 42, 70, and 
165. 

21. Show that if a h a 2 , . . . , a n are integers that are not all 0 and c is a positive integer, then 
(ca h ca 2 , . . . , ca n ) = c(a h a 2 . . . , a n ). 

22. Show that the greatest common divisor of the integers a h a 2 , . . . , a n , not all 0, is the least 

positive integer that is a linear combination of a h a 2 , , a n . 

23. Show that if k is an integer, then the integers 6k — 1, 6 k+ 1, 6k + 2, 6 k + 3, and 6k + 5 are 
pairwise relatively prime. 

24. Show that if k is a positive integer, then 3fc + 2 and 5k + 3 are relatively prime. 

25. Show that 8a + 3 and 5a + 2 are relatively prime for all integers a. 

26. Show that if k is a positive integer, then (6k + 1)/ (3k + 4) is in lowest terms. 

27. Show that if k is a positive integer, then (15 k + 4)/(10& + 3) is in lowest terms. 

28. Show that if a and b are relatively prime integers, then (a + 2b, 2a + b) = 1 or 3. 

29. Show that every positive integer greater than 6 is the sum of two relatively prime integers 
greater than 1. 

30. Show that if n is a positive integer, then (n + 1, n 2 - n + 1) = 1 or 3. 

31. Show that if n is a positive integer, then (2n 2 + 6n - 4, 2 n 2 + 4n — 3) = 1. 

32. Show that if n is a positive integer, then (n 2 + 2, n 3 + 1) = 1, 3, or 9. 

The Farey series 2r n of order n, named after John Farey, is the set of fractions h/k, where h and 
k are integers, 0 <h <k<n, and (h,k) = 1, in ascending order. We include 0 and 1 in the forms 
0/1 and 1/1, respectively. For instance, the Farey series of order 4 is 

0 1 1 1 2 3 1 
r 4’ 3’ 2’ 3’ 4’ r 

Exercises 33-37 deal with Farey series. 

33. Find the Farey series of order 5. 

34. Find the Farey series of order 7. 

35. Show that if a /b,c/d, and e/f are successive terms of a Farey series, then 

c _ a + e 
d~ b + f' 

36. Show that if a/b and c/d are successive terms of a Farey series, then ad — be = - 1. 

37. Show that if a/b and c/d are successive terms of the Farey series of order n, then b + d >n. 

38. a) Show that if a and b are positive integers, then ((a n - b n )/(a — b), a — b) = (n(a, b) n ~ l , 

a — b ). 

b) Show that if a and b are relatively prime positive integers, then 
((a n — b n )/(a — b), a — b) = (n, a —b). 
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39. Show that if a, b, c, and d are integers such that b and d are positive, (a, b) = (c, d) = 1, and 
| + ^ is an integer, then b = d. 

40. What can you conclude if a, b, and c are positive integers such that (a, b) = ( b , c) = 1 and 
£ + £ + £ is an integer? 

41. Show that if a and b are positive integers, then (a, b) = 2 Y^Zi^bi /a\ + a + b — ab. (Hint: 
Count the number of lattice points, that is, points with integer coordinates, inside or on the 
triangle with vertices (0, 0), (0, b ), and (a, 0) in two different ways.) 

42. Show that if n is a positive integer and i and j are integers with 1 < i < j < n, then 
(«! • i + 1, n\- j + 1) = 1. 

43. Use Exercise 42 to show that there are infinitely many primes. (Hint: Assume that there are 
exactly r primes and consider the r + 1 numbers (r + 1) ! • * + 1 for i = 1, 2, . . . , r + 1. This 
proof was discovered by P. Schom.) 

44. Show that if c and d are relatively prime positive integers, then the integers a - r j = 
0, 1, 2, ... , defined by a 0 = c and a n = a 0 fli • • ■ a n _ \ + d for n = 1, 2, . . . , are pairwise 
relatively prime. 


JOHN FAREY (1766-1826) attended school in Woburn, England, until the age of 16. In 
1782, he entered a school in Halifax, Yorkshire, where he studied mathematics, drawing, 
and surveying. In 1790, he married, and his first son was bom the following year. In 1792, 
the Duke of Bedford appointed Farey as land steward for his Woburn estates. Farey held 
this post until 1802, developing expertise in geology. When the duke died suddenly, the 
duke’s brother dismissed Farey, who went to London and established an extensive practice 
as a surveyor and geologist. 

Farey’s geologic work included studies of soils and strata in Derbyshire. He also 
produced a map of the strata visible between London and Brighton. Farey also produced 
extensive scientific writings, publishing around 60 articles in philosophical and scientific 
magazines. These articles address a wide range of topics, including geology, forestry, 
physics, and many other areas. 

Although he achieved moderate fame as a geologist, ironically Farey is remembered 
for a contribution to mathematics. In his four-paragraph 1816 article, “On a curious property 
of vulgar fractions,” Farey noted that a reduced fraction p/q with 0 < p/q < 1 and q < n 
equals the fraction whose numerator and denominator are the sum of the numerators and the 
sum of the denominators, respectively, of the fractions on either side of p/q when all reduced 
fractions between 0 and 1 with denominators not exceeding n are written in increasing order 
(see Exercise 27). Farey said he was unaware whether this property was already known. He 
also wrote that he did not have a proof. The French mathematician Cauchy read Farey’s 
article and proved this property in the book Exercises de mathematique, published in 1816. 
It was Cauchy who coined the name Farey series because he thought Farey was the first 
person to notice this property. 

Not surprisingly, Farey was not the first person to notice the property for which he 
became famous. In 1802, C. Haros wrote an article in which he approximates decimal 
fractions using common fractions, constructing the Farey sequence for n = 99. 
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Computations and Explorations 

1. Find (987654321, 123456789) and [987654321, 123456789]. 

2. Find (122333444455555, 666667777888990) and [12233344445555, 666667777888990]. 

3. Construct the Farey series of order 100. 

4. Verify the properties of the Farey series given in Exercises 27, 28, and 29 for successive terms 
of your choice in the Farey series of order 100. 

* 5. The number of Farey fractions of order n, |J„|, is asymptotic to 3 h 2 /tt 2 . Explore how well 

this asymptotic formula approximates l^l for increasingly larger values of n. 

Programming Projects 

1. Given two positive integers m and n and their lists of positive divisors, find (m, n). 

2. Given a positive integer n, list the Farey series of order n. 


3.4 The Euclidean Algorithm 

We are going to develop a systematic method, or algorithm, to find the greatest common 
divisor of two positive integers. This method is called the Euclidean algorithm. It is 
named after the ancient Greek mathematician Euclid, who describes this algorithm in his 
Elements. (The same method for finding greatest common divisors was also described in 
the sixth century by the Indian mathematician Aryabhata, who called it “the pulverizer.”) 

Before we discuss the algorithm in general, we demonstrate its use with an example. 
We find the greatest common divisor of 30 and 72 First, we use the division algorithm 
to write 72 = 30 • 2 + 12, and we use Theorem 3.7 to note that (30, 72) = (30, 72 - 
2 • 30) = (30, 12). Note that we have replaced 72 by the smaller number 12 in our 
computations because (72, 30) = (30, 12). Next, we use the division algorithm again to 
write 30 = 2 • 12 + 6. Using thesame reasoning as before, we see that (30, 12) = (12, 6). 


| EUCLID (c. 350 bx.e) was the author of the most successful mathematics 

ok textbook ever written, namely his Elements, which has appeared in over a 

thousand editions from ancient to modem times. Very little is known about 
Euclid’s life, other than that he taught at the famed academy at Alexandria. 

I Evidently he did not stress the applications of mathematics, for it is reputed 
•• 1 that when aslcd by a student for the use of geometry, Euclid had his slave give 

I V '/ f if I the student some coins, “because he must needs make gain of what he learns.” 

Him Euclid’s Elements provides an introduction to plane and solid geometry, and to 
number theory. The Euclidean algorithm is found in Book W of the thirteen books in the Elements, 
and his proof of the infinitude of primes is found in Book IX. Euclid also wrote books on a variety of 
other topics, including astronomy, optics, music, and mechanics. 
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Because 12 = 6 • 2 + 0, we now see that (12, 6) = (6, 0) = 6. Consequently, we can 
conclude that (72, 30) = 6, without finding all the common divisors of 30 and 72. 

We now present the general form of the Euclidean algorithm for computing the 
greatest common divisor of two positive integers. 

Theorem 3.11. The Euclidean Algorithm. Let r 0 = a and r x = b be integers such 
that a > b > 0. If the division algorithm is successively applied to obtain r j = r J+1 ^ 7+1 
+rj + 2 , with 0 < rj + 2 < rj + i for j = 0, 1, 2, . . . , n — 2 and r n+1 = 0, then (a, b) = r n , 
the last nonzero remainder. ■ 

From this theorem, we see that the greatest common divisor of a and b is the last 
nonzero remainder in the sequence of equations generated by successively applying 
the division algorithm and continuing until a remainder is 0 — where, at each step, the 
dividend and divisor are replaced by smaller numbers, namely, the divisor and remainder. 

To prove that the Euclidean algorithm produces greatest common divisors, the 
following lemma will be helpful. 

Lemma 3.3. If e and d are integers and e = dq + r, where q and r are integers, then 
(e, d) = {d, r ). 

Proof. This lemma follows directly from Theorem 3.7, taking a = r,b = d, and c = q. 


We now prove that the Euclidean algorithm produces the greatest common divisor 
of two integers. 

Proof. Let r 0 = a and ri = b be positive integers with a > b. By successively applying 
the division algorithm, we find that 


ARYABHATA (476-550) was bom in Kusumapura (now Patna), India. He is the author 
of the Aryabhatiya, a summary of Hindu mathematics written entirely in verse. This book 
covers astronomy, geometry, plane and spherical trigonometry, arithmetic, and algebra. 
Topics studied include formulas for areas and volumes, continued fractions, sums of power 
series, an approximation for n, and tables of sines. Aryabhata also described a method for 
finding greatest common divisors that is the same as the method described by Euclid. His 
formulas for the areas of triangles and circles are correct, but those for the volumes of spheres 
and pyramids are wrong. Aryabhata also produced an astronomy text, Siddhanta, which 
includes a number of remarkably accurate statements (as well as other statements that are 
not correct). For example, he states that the orbits of the planets are ellipses, and he correctly 
describes the causes of solar and lunar eclipses. India named its first satellite, launched 
in 1975 by the Russians, Aryabhata, in recognition of his fundamental contributions to 
astronomy and mathematics. 
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r 0 = r l<7l + r 2 

0 <r 2 < r h 

r \ = r 2 qi + r 3 

0 < r 3 < r 2 , 

rj-^rj-iqj-i + rj 

0 <r j <r j _ l . 

r n - 4 = r n - 3 q n -3 + r n - 2 

0 < r n _ 2 < r n _- 

r n - 3 = r n - 2 q n - 2 + r n - 1 

0 < r n _i < r n _' 

*5 

+ 

'S 

II 

^5 

0 <r n < r n _ i, 


We can assume that we eventually obtain a remainder of zero, because the sequence 
of remainders a = r 0 > rj > r 2 > • • • > 0 cannot contain more than a terms (because 
each remainder is an integer). By Lemma 3.3, we see that ( a , b) = (r 0 , r^) = (r lt r 2 ) = 
to, r 3 ) = ---= (r n _ 3 , r n _ 2 ) = ( r n _ 2 , r n _ i) = (r n _i, r n ) = (r n , 0) = r n . Hence, ( a , b ) = 
r n , the last nonzero remainder. ■ 

We illustrate the use of the Euclidean algorithm with the following example. 

Example 3.12. The steps used by the Euclidean algorithm to find (252, 198) are 
252 = 1 • 198 + 54 
198 = 3 • 54 + 36 
54 = 1-36+ 18 
36 = 2- 18. 

We summarize these steps in the following table: 


i 

r i 

r j + 1 

qj + 1 

r J+ 2 

0 

252 

198 

i 

54 

1 

198 

54 

3 

36 

2 

54 

36 

1 

18 

3 

36 

18 

2 

0 


The last nonzero remainder (found in the next-to-last row in the last column) is the 
greatest common divisor of 252 and 198. Hence, (252, 198) = 18. ◄ 

The Euclidean algorithm is an extremely fast way to find greatest common divisors. 

Later, we will see this when we estimate the maximum number of divisions used 
by the Euclidean algorithm to find the greatest common divisor of two positive integers. 
However, we first show that, given any positive integer n, there are integers a and b such 
that exactly n divisions are required to find ( a , b) using the Euclidean algorithm. We can 
find such numbers by taking successive terms of the Fibonacci sequence. 

The reason that the Euclidean algorithm operates so slowly when it finds the greatest 
common divisor of successive Fibonacci numbers is that the quotient in all but the last 
step is 1, as illustrated in the following example. 
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Example 3.13. We apply the Euclidean algorithm to find (34, 55). Note that f 9 = 34 
and / 10 = 55. We have 

55 = 34 • 1 + 21 
34 = 21 ■ 1 + 13 
21 = 13 - 1 + 8 
13 = 8-1 + 5 
8 = 5- 1 + 3 
5 = 31 + 2 
3 = 2- 1 + 1 
2 = 1 - 2 . 

Observe that when the Euclidean algorithm is used to fi nd the greatest common divisor of 
f 9 = 34 and / 10 = 55, a total of eight divisions are required. Furthermore, (34, 55) = 1, 
because 1 is the last nonzero remainder. ◄ 

The following theorem tells us how many divisions are used by the Euclidean 
algorithm to find the greatest common divisor of successive Fibonacci numbers. 

Theorem 3.12. Let f n+{ and f n+2 be successive terms of the Fibonacci sequence, 
with n > 1. Then the Euclidean algorithm takes exactly n divisions to show that 

(/»+!. /»+2) = l- 

Proof. Applying the Euclidean algorithm, and using the defining relation for the Fibo- 
nacci numbers fj = fj_\ + fj_ 2 in each step, we see that 

fn+2 = fn+1 ' 1 + fn> 
fn + 1 = /«■! + fn—h 


/4 = /3’l + /2. 

/3 = /2'2. 

Hence, the Euclidean algorithm takes exactly n divisions, to show that (/ n+2 , f n +i) = 

h = 1 - ■ 

The Complexity of the Euclidean Algorithm We can now prove a theorem first 
proved by Gabriel Lami, a French mathematician of the nineteenth century, which gives 
an estimate for the number of divisions needed to find the greatest common divisor using 
the Euclidean algorithm. 

Theorem 3.13. Lame’s Theorem. The number of divisions needed to find the greatest 
common divisor of two positive integers using the Euclidean algorithm does not exceed 
five times the number of decimal digits in the smaller of the two integers. 

Proof When we apply the Euclidean algorithm to find the greatest common divisor of 
a = r 0 and b = r± with a> b, we obtain the following sequence of equations: 
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r 0 = rm + r 2 > 0 < r 2 < r lf 

r\ = r 2 q 2 + ? 3 , 0 < r 3 < r 2 , 

r n -2 = r n -iq n -i + r n , 0<r B <r„_ lf 

r n -l = r n q n . 

We have used n divisions. We note that each of the quotients q\, q 2 , . . . , r/ n _i > 1, and 
q n > 2, because r„ < /•„_!. Therefore, 

r„>l=/ 2 , 

r„-i > 2r n > 2/ 2 = / 3f 

r n-2 ^ r n-l + r„ > fs + Si = /4> 

^n-3 ^ r n-2 + r n-l > /4 + /3 = /5» 

r 2 ^ r 3 + r 4 ^ /n-1 + /n-2 = frr 
b = ri>r 2 + r3> f n + = / n+1 . 

Thus, for there to be n divisions used in the Euclidean algori thm, we must have b > /„ +1 . 
By Example 1.28, we know that /„ +1 > a" -1 for n > 2, where a = (1 + >/5)/2. Hence, 
b > a" -1 . Now, because log 10 a > 1/5, we see that 

logio b>{n- 1) log 10 a > (n - l)/5. 

Consequently, 

n - 1 < 5 • log 10 fc. 

Let b have k decimal digits, so that < 10* and log 10 b < k. Hence, we see that 
n — 1 < 5k, and because k is an integer, we can conclude that n < 5k. This establishes 
Lamp’s theorem. ■ 

The following result is a consequence of Lamp’s theorem. It tells us that the Eu- 
clidean algorithm is very efficient. 

Corollary 3.13.1. The greatest common divisor of two positive integers a and b with 
a > b can be found using 0(( log 2 a) 3 ) bit operations. 



GABRIEL LAME (1795-1870) was a graduate of the Ecole Polytechnique. 
A civil and railway engineer, he advanced the mathematical theory of elasticity 
and invented cur viline ar coordinates. Although his main contributions were to 
mathematical physics, he made several discoveries in number theory, including 
the estimate of the number of steps required by the Euclidean algorithm, and 
the proof that Fermat’s last theorem holds for n = 7 (see Section 13 . 2 ). It 
is interesting to note that Gauss considered Lami to be the foremost French 
mathematician of his time. 
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Proof. We know from Lame’s theorem that 0(log 2 a) divisions, each taking 
0((log 2 a) 2 ) bit operations, are needed to find (a, b ). Hence, by Theorem 2.3, {a, b) 
may be found using a total of 0((log 2 a) 3 ) bit operations. ■ 

Expressing Greatest Common Divisors — As Linear Combinations The Eu- 
clidean algorithm can be used to express the greatest common divisor of two integers as 
a linear combination of these integers. We illustrate this by expressing (252, 198) = 18 
as a linear combination of 252 and 198. Referring to the steps of the Euclidean algorithm 
used to find (252, 198), by the next to the last step we see that 

18 = 54- 1-36. 

By the preceding step, it follows that 

36 = 198 - 3 • 54, 


which implies that 


18 = 54 - 1 ■ (198 - 3 • 54) = 4 • 54 - 1 ■ 198. 


Likewise, by the first step, we have 

54 = 252 - 1 • 198, 


so that 


18 = 4(252 - 1 • 198) - 1 • 198 = 4 ■ 252 - 5 • 198. 

This last equation exhibits 18 = (252, 198) as a linear combination of 252 and 198. 

In general, to see how d = (a, b) may be expressed as a linear combination of a and 
b, refer to the series of equations that is generated by the Euclidean algorithm. By the 
penultimate equation, we have 


r n = (a, b) = r n - 2 ~ r n -\q n -\- 

This expresses (a, b ) as a linear combination of r n _ 2 and r„_ 1 . The second to the last 
equation can be used to express r n _ 1 as r n _ 3 — r n _ 2 <? n _ 2 . Using this last equation to 
eliminate r n _ 1 in the previous expression for (a, b ), we find that 


r n-l = r n - 3 - r„— 2 ?„— 2> 

so that 

(a, b)= r n _ 2 - (r n -3 ~ r n _ 2 q n - 2 )<ln - 1 
= (1 + q n -iq n - 2 )rn -2 - q n -l r n-3 . 

which expresses (a, b) as a linear combination of r n _ 2 and r n _ 3 . We continue working 
backward through the steps of the Euclidean algorithm to express (a, b ) as a linear 
combination of each preceding pair of remainders, until we have found ( a , b) as a linear 
combination of r 0 = a and r l = b. Specifically, if we have found at a particular stage that 


(a, b ) = srj + trj_ h 
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then, because 


r j= r j-2- r j-l<lj-b 

we have 

(a, b ) = s{r j — 2 - rj-Mj-i) + trj _j 
= (* ~ s Qj- + sr j-2- 

This shows how to move up through the equations that are generated by the Euclidean 
algorithm so that, at each step, the greatest common divisor of a and b may be expressed 
as a linear combination of a and b. 

This method for expressing (a, b) as a linear combination of a and b is somewhat 
inconvenient for calculation, because it is necessary to work out the steps of the Euclidean 
algorithm, save all these steps, and then proceed backward through the steps to write 
(a, b) as a linear combination of each successive pair of remainders. There is another 
method for finding (a, b ) that requires working through the steps of the Euclidean 
algorithm only once. The following theorem gives this method, which is called the 
extended Euclidean algorithm. 

Theorem 3.14. Let a and b be positive integers. Then 
(a, b) = s n a + t n b, 

where s n and t n are the nth terms of the sequences defined recursively by 
so =1 *o = 0, 

5! = 0, t x = 1, 

and 

s j = s j- 2 ~ Qj-i s j-b 0 = 0-2 “ Qj-itj-i 

for j = 2, 3, . . . , n, where the qj are the quotients in the divisions of the Euclidean 
algorithm when it is used to find (a, b). 

Proof. We will prove that 

(3.2) rj = sja + tjb 

for j = 0, 1, . . . , n. Because (a, b) = r n , once we have established (3.2), we will know 
that 


(a, b)= s n a + t n b. 

We prove (3.2) using the second principle of mathematical induction. For j = 0, 
we have a = r Q =l-a+0-b = s Q a + t^b. Hence, (3.2) is valid for j = 0. Likewise, 
b = ri = 0 ■ a + 1- b = sia + t\b, so that (3.2) is valid for j = 1. 

Now we assume that 


rj = S;a + tjb 
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for j = 1, 2, . . . , k — 1. Then, from the kth step of the Euclidean algorithm, we have 
r k = r k - 2 “ r k-lQk-l- 

Using the induction hypothesis, we find that 

r k = (s k -2 a + t k - 2 b) - ( s k -\a + t k _ x b)q k _ x 

= ( s k-2 - s k-lQk-l) a + (fk- 2 - h-lQk-Ob 
= s k a + t k b. 

This finishes the proof. 

The following example illustrates the use of this algorithm for expressing ( a 
a linear combination of a and b. 

Example 3.14. We summarize the steps used by the extended Euclidean algorithm to 
express (252, 198) as a linear combination of 252 and 198 in the following table. 


j 

r i 

0+1 

4j + 1 

0+2 

O' 0 

o 1 

252 

198 

1 

54 

1 0 

1 

198 

54 

3 

36 

0 1 

2 

54 

36 

1 

18 

1 -1 

3 

4 

36 

18 

2 

0 

-3 4 

4 -5 


The values of Sj and tj, j = 0, 1, 2, 3, 4, are computed as follows: 

s 0 =1, *o = 

S\ = 0 , ti= 1 , 

s 2 = s o — s\qi = 1 — 01 = 1 , h = l o ~ h<h = 0 - 1-1 = — 1 , 

s 3 = si- s 2 q 2 = 0 - 1 • 3 = -3, t 3 = ti-t 2 q 2 =l- (-1)3 = 4, 

*4 = *2 - s 3 q 3 = 1 - (-3) -1 = 4, t 4 = t 2 - t 3 q 3 = -1 - 4 ■ 1 = -5. 

Because r 4 = 18 = (252, 198) and r 4 = s 4 a + t 4 b, we have 

18 = (252, 198) =4 -252 -5- 198. 4 

Note that the greatest common divisor of two integers, not both 0, may be expressed 
as a linear combination of these integers in an infinite number of ways. In other words, 
there are infinitely many pairs of Bezout coefficients for every pair integers, not both 
zero. To see this, let d = (a, b) and let d = sa + tb be one way to write d as a linear 
combination of a and b, so that s and t are Bezout coefficients for a and b, guaranteed 
to exist by the previous discussion. Then for all integers k, s + k(b/d) and t — k(a/d) 
are also Bezout coefficients for a and b because 

d = (s + k{b/d))a + (t - k(a/d))b. 


, b) as 


Example 3.15. Witha = 252andfc = 198,wehave 18 = (252, 198) = (4+ lbt)252 + 
(-5 — 14 k) 198 for any integer k. ◄ 
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3.4 Exercises 

1. Use the Euclidean algorithm to find each of the following greatest common divisors, 

a) (45, 75) b) (102, 222) c) (666, 1414) d) (20785, 44350) 

2 . Use the Euclidean algorithm to find each of the following greatest common divisors, 

a) (51, 87) b) (105, 300) c) (981, 1234) d) (34709, 100313) 

3. For each pair of integers in Exercise 1 , express the greatest common divisor of the integers 
as a linear combination of these integers. 

4. For each pair of integers in Exercise 2, express the greatest common divisor of the integers 
as a linear combination of these integers. 

5 . Find the greatest common divisor of each of the following sets of integers, 

a) 6, 10, 15 b) 70, 98, 105 c) 280, 330, 405, 490 

6. Find the greatest common divisor of each of the following sets of integers, 

a) 15, 35, 90 b) 300, 2160, 5040 c) 1240, 6660, 15540, 19980 

The greatest common divisor of the n integers a h a 2 , . . . , a n can be expressed as a linear 
combination of these integers. To do this, first express (a 1; a 2 ) as a linear combination of aj and 
a 2 . Then express (a 1; a 2 , a 3 ) = ((a 1; a 2 ), a 3 ) as a linear combination of a x , a 2 , anda 3 . Repeat this 
until (flj, a 2 , , a n ) is expressed as a linear combination of a l5 a 2 , ... ,a n . Use this procedure 
in Exercises 7 and 8. 

7. Express the greatest common divisor of each set of numbers in Exercise 5 as a linear 
combination of the numbers in that set. 

8. Express the greatest common divisor of each set of numbers in Exercise 6 as a linear 
combination of the numbers in that set. 

The greatest common divisor of two positive integers can be found by an algorithm that uses 
only subtractions, parity checks, and shifts of binary expansions, without using any divisions. 
The algorithm proceeds recursively using the following reduction: 

a if a=b; 

2(a/2, b/2) if a and b are even; 

(a/2, b ) if a is even and b is odd; 

(a — b, b ) if a and b are odd, where a > b. 

(Note: Reverse the roles of a and b when necessary.) Exercises 9-13 refer to this algorithm. 

9 . Find (2106, 8318) using this algorithm. 

10 . Show that this algorithm always produces the greatest common divisor of a pair of positive 
integers. 

* 11 . How many steps does this algorithm use to find (a, b) if a = (2" — (— 1)")/3 and b = 

2 ( 2 «-t _ ( — I)" - 1 ) /3, when n is a positive integer? 

* 12 . Show that to find (a , b) this algorithm uses the subtraction step in the reduction no more than 

1 + [log 2 max(a, b )] times. 

* 13. Devise an algorithm for finding the greatest common divisor of two positive integers using 

their balanced ternary expansions. 
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In Exercise 26 of Section 1.5, a modified division algorithm is given, which states that if a and 
b > 0 are integers, then there exist unique integers q, r, and e such that a = bq + er, where 
e = ±1, r > 0, and —b/2 < er < b/2. We can set up an algorithm, analogous to the Euclidean 
algorithm, based on this modified division algorithm, called the least-remainder algorithm. It 
works as follows: Let r 0 = a and r, = b, where a > b > 0. Using the modified division algorithm 
repeatedly, obtain the greatest common divisor of a and b as the last nonzero remainder r n in the 
sequence of divisions 


*q = r x q x + e 2 r 2 , - r x /2 < e 2 r 2 < r x / 2 

r n-2 = r n-i9n-l + e n r n> ~r H - i/2 <e n r n <r n _ x /2 

r n-\ = r nQn- 

14. Use the least-remainder algorithm to find (384, 226). 

15. Show that the least-remainder algorithm always produces the greatest common divisor of two 
integers. 

* * 16. Show that the least-remainder algorithm is always at least as fast as the Euclidean algorithm. 
(Hint: First show that if a and b are positive integers with 2b < a, then the least-remainder 
algorithm can find (a, b ) with no more steps than it uses to find (a, a — b).) 

* 17. Find a sequence of integers v 0 , i>,, v 2 , , such that the least-remainder algorithm takes 

exactly n divisions to find (v n+x , v n+2 ). 

* 18. Show that the number of divisions needed to find the greatest common divisor of two positive 

integers using the least-remainder algorithm is less than 8/3 times the number of digits in the 
smaller of the two numbers, plus 4/3. 

* 19. Show that (a m - 1, a n - 1) = a ( ' n, " ) - 1 whenever a, m , and n are positive integers and a > 1. 

* 20. Show that if m and n are positive integers, then ( f m , /„) = /( OTj „). 

The next two exercises deal with the game of Euclid. Two players begin with a pair of positive 
integers and take turns making moves of the following type. A player can move from the pair of 
positive integers {jc, y} with jc > y, to any of the pairs {jc — ty, y}, where t is a positive integer 
and x - ty > 0. A winning move consists of moving to a pair with one element equal to 0. 

21. Show that every sequence of moves starting with the pair {a, b] must eventually end with the 
pair {0, (a, b)}. 

* 22. Show that in a game beginning with the pair {a, b}, the first player may play a winning strategy 

if a = b or if a > b(\ + V5)/2; otherwise, the second player may play a winning strategy. 
(Hint: First show that if y < jc < y(l + V5)/2, then there is a unique move from {jc, y} that 
goes to a pair [z, y} with y > z(l + V5)/2.) 

* 23. Show that the number of bit operations needed to use the Euclidean algorithm to find the 

greatest common divisor of two positive integers a and b with a > b is 0((log 2 a) 2 ). (Hint: 
First show that the complexity of division of the positive integer q by the positive integer d 
is CKlogcHogtf).) 

* 24. Let a and b be positive integers and let rj and q jt j = 1, 2, . . . , n be the remainders and 

quotients of the steps of the Euclidean algorithm as defined in this section, 
a) Find the value of YTj= i r flj • b) Find the value of Y?j= \ r jQj ■ 
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25. Suppose that a and b are positive integers with a>b. Let q t and r { be the quotients and 
remainders in the steps of the Euclidean algorithm for i = 1, 2, . . . , n, where r n is the last 

nonzero remainder. Let Q { = {^[ q ^ anc * ^ = n”=o Qi- Show that ^ ^ ^ = Q 

Computations and Explorations 

1. Find (9876543210, 123456789), (11111111111, 1000000001) and (45666020043321, 
73433510078091009). 

2. Find Bezout coefficients for each pair of integers in the previous exercise. 

3. Verify Lame’s theorem for several different pairs of large positive integers of your choice. 

4. Compare the number of steps required to find the greatest common divisor of different pairs of 
large positive integers of your choice using the Euclidean algorithm, the algorithm described 
in the preamble to Exercise 9, and the least-remainder algorithm described in the preamble 
to Exercise 14. 

5. Estimate the proportion of pairs of positive integers (a, b ) that are relatively prime, where a 
and b are positive integers not exceeding 1000, not exceeding 10,000, not exceeding 100,000, 
and not exceeding 1,000,000. To do so, you may want to test a random selection of a small 
number of such pairs (see Section 10.1 for material on pseudorandom numbers). Can you 
make any conjectures from this evidence? 

Programming Projects 

1. Given two integers, use the Euclidean algorithm to find their greatest common divisor. 

2. Given two integers, find their greatest common divisor using the modified Euclidean algo- 
rithm given in the preamble to Exercise 14. 

3. Given two positive integers, find their greatest common divisor using no divisions (see the 
preamble to Exercise 9). 

4. Given a set of more than two integers, find their greatest common divisor. 

5. Given a pair of positive integers, find Bezout coefficients for them. 

6. Given a set of more than two integers, find Bezout coefficients for them. 

* 7. Play the game of Euclid described in the preamble to Exercise 21 . 



3.5 The Fundamental Theorem of Arithmetic 

The fundamental theorem of arithmetic is an important result that shows that the primes 
are the multiplicative building blocks of the integers. 

Theorem 3.15. The Fundamental Theorem of Arithmetic. Every positive integer 
greater than 1 can be written uniquely as a product of primes, with the prime factors in 
the product written in nondecreasing order. 
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Sometimes, the fundamental theorem of arithmetic is extended to apply to the 
integer 1. That is, 1 is considered to be written uniquely as the empty product of primes. 

Example 3.16. The factorizations of some positive integers are given by 

240 = 2 -2- 2- 2- 3- 5= 2 4 • 3 -5, 289 = 17 • 17 = 17 2 , 1001 = 7 • 11 • 13. ◄ 

Note that it is convenient to combine all the factors of a particular prime into a power 
of this prime, such as in the previous example: For the factorization of 240, all the factors 
of 2 were combined to form 2 4 . Factorizations of integers in which the factors of primes 
are combined to form powers are called prime-power factorizations. 

To prove the fundamental theorem of arithmetic, we need the following lemma 
concerning divisibility. This lemma turns out to be a crucial part of the proof. 

Lemma 3.4. If a, b, and c are positive integers such that (a, b) = 1 and a \ be, then 
a | c. 

Proof. Because (a, b)= 1, there are integers x and y such that ax + by = 1. Multiplying 
both sides of this equation by c, we have acx + bey = c. By Theorem 1.9, a divides 
acx + bey, because this is a linear combination of a and be, both of which are divisible 
by a. Hence, a \ c. u 

The following consequence of this lemma will be needed in the proof of the funda- 
mental theorem of arithmetic. 

Lemma 3.5. If p divides a\a 2 • • • a n , where p is a prime and a h a 2 , ... ,a n are positive 
integers, then there is an integer i with 1 < i < n such that p divides a t . 

Proof. We prove this result by induction. The case where n = 1 is trivial. Assume that 
the result is true for n. Consider a product of n + 1 integers a^i 2 - • • a n+ 1 that is divisible 
by the prime p. We know that either (p, a\a 2 • • • a n ) = 1 or ( p , a^a 2 • • • a n ) = p. If 
( p , a x a 2 • ■ ■ a n ) = 1, then by Lemma 3.4, p \ a n+] . On the other hand, if p \ a\a 2 •••«„, 
using the induction hypothesis, there is an integer i with 1 < i < n such that p\a t . 
Consequently, p \ a { for some i with 1 < i < n + 1. This proves the result. ■ 

We now begin the proof of the fundamental theorem of arithmetic. First, we will 
show that every positive integer greater than 1 can be written as the product of primes in 
at least one way. Then we will show that this product is unique up to the order of primes 
that appear. 

Proof. We use proof by contradiction. Assume that some positive integer cannot be 
written as the product of primes. Let n be the smallest such integer (such an integer must 
exist, from the well -ordering property). If n is prime, it is obviously the product of a set of 
primes, namely the one prime n. Son must be composite. Let n =ab, with 1 < a < n and 
1 < b < n. But because a and b are smaller than n, they must be the product of primes. 
Then, because n = ab, we conclude that n is also a product of primes. This contradiction 
shows that every positive integer can be written as the product of primes. 
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We now finish the proof of the fundamental theorem of arithmetic by showing that 
the factorization is unique. Suppose that there is an integer n that has two different 
factorizations into primes: 


n = Pi Pi • • • p s = q\ Qi • • • q t , 

where p h p 2 , . . . , p s , and q h q 2 , . . . , q t are all primes, with p\< p 2 <- • ■ < p s and 

qi < q 2 < • • • < Qt- 

Remove all common primes from the two factorizations to obtain 
Pi l Pi 2 ---Piu=<lh<lh--- < Ij v ’ 

where the primes on the left-hand side of this equation differ from those on the right- 
hand side, u > 1, and v > 1 (because the two original factorizations were presumed to 
differ). However, this leads to a contradiction of Lemma 3.5; by this lemma, p i{ must 
divide qj k for some k, which is impossible, because each qj k is prime and is different 
from pi v Hence, the prime factorization of a positive integer n is unique. ■ 

Where Unique Factorization Fails The fact that every positive integer has a unique 
factorization into primes is a special property of the set of integers that is shared by some, 
but not all, systems of numbers. In Chapter 13, we will study the diophantine equation 
x n + y n = z n . In the nineteenth century, mathematicians thought they could prove that 
this equation has no solutions in nonzero integers when n is an integer with n > 3 (a 
result known as Fermat’s last theorem), using a form of unique factorization for certain 
types of algebraic numbers. It turned out that these numbers do not enjoy the property 
of unique factorization. The supposed proofs were incorrect, a problem that escaped the 
notice of many eminent mathematicians. 

Although we do not want to go too far afield (by introducing algebraic number 
theory, for instance), we can provide an example showing that unique factorization fails 
for certain types of numbers. Consider the set of numbers of the form a + by/^5, where 
a and b are integers. This set contains every integer (taking b = 0), as well as other 
numbers such as 3^—5, — 1 + 4 V— 5, 7 — 5\/^5, and so on. A number of this form is 
prime (in this context) if it cannot be written as the product of two other numbers of 
this form both different than ±1. Note that 6 = 2- 3= (l + %/^5)(l - \/^5). Each of 
the numbers 2, 3, 1 + >/—5, and 1 — \f—5 is a prime (see Exercises 19-22 at the end of 
this section to see how this can be established). It follows that the set of numbers of the 
form a + by/^5 does not enjoy the property of unique factorization into primes. On the 
other hand, numbers of the form a + by/^l, where a and b are integers, do have unique 
factorization, as we will show in Chapter 14. 

Using Prime Factorizations 

The prime-power factorization of a positive integer n encodes essential information about 
n. Given this factorization, we can immediately deduce whether a prime p divides n 
because p divides n if and only if it appears in this factorization. (We can obtain a 
contradiction of the uniqueness of the prime-power factorization of n if a prime q divided 
n, but did not appear in the prime-power factorization of n. The reader should fill in the 
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other parts of the proof.) For instance, because 168 = 2 3 • 3 • 7, each of the primes 2, 3, 
and 7 divides 120, but none of the primes 5, 1 1, and 1 3 do. Furthermore, thehighest power 
of a prime p that divides n is the power of this prime in the prime-power factorization of 
n. For instance, each of 2 3 , 3, and 7 divides 168, but none of 2 4 , 3 2 , and 7 2 do. Moreover, 
an integer d divides n if and only if all the primes in the prime-power factorization of d 
appear in the prime-power factorization of n to powers at least as large as they do in the 
prime-power factorization of d. (The reader should also verify that this follows from the 
fundamental theorem of arithmetic.) The following example illustrates how we can find 
all the positive divisors of a positive integer using this observation. 

Example 3.17. The positive divisors of 120 = 2 3 • 3 • 5 are those positive integers with 
prime-power factorizations containing only the primes 2, 3, and 5 to powers less than or 


equal to 3, 1, and 1, respectively. These divisors are 

1 3 5 

3-5 = 15 

2 2-3 = 6 

2 • 5 = 10 

2 • 3 • 5 = 30 

2 2 = 4 2 2 • 3 = 12 

2 2 • 5 = 20 

2 2 • 3 • 5 = 60 

2 3 = 8 2 3 • 3 = 24 

2 3 • 5 = 40 

2 3 • 3 • 5 = 120. 


Another way in which we can use prime factorizations is to find greatest common 
divisors, as illustrated in the following example. 

Example 3.18. To be a common divisor of 720 = 2 4 • 3 2 • 5 and 2 100 = 2 2 • 3 • 5 2 • 7, a 
positive integer can contain only the primes 2, 3, and 5 in its prime-power factorization, 
and the power to which one of these primes appears cannot be larger than either of 
the powers of that prime in the factorizations of 720 and 2100. Consequently, to be a 
common divisor of 720 and 2100, a positive integer can contain only the primes 2, 3, 
and 5 to powers no larger than 2, 1, and 1, respectively. Therefore, the greatest common 
divisor of 720 and 2100 is 2 2 • 3 • 5 = 60. ◄ 

To describe, in general, how prime factorizations can be used to find greatest 
common divisors, let min (a, b ) denote the smaller, or minimum, of the two numbers 
a and b. Now, let the prime factorizations of a and b be 

a = P a \P2 Pn' 1 ’ b = P b lP2 ■■■ P b n’ 

where each exponent is a nonnegative integer, and where all primes occurring in the prime 
factorizations of a and of b are included in both products, perhaps with 0 exponents. We 
note that 

( a _ ^min(a 1 ,fc 1 )^min(a2,fc2) , , , ^min(a„,&„) 

because for each prime p h a and b share exactly min(a ; , b t ) factors of p,. 

Prime factorizations can also be used to find the smallest integer that is a multiple of 
each of two positive integers. The problem of finding this integer arises when fractions 
are added. 
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Definition. The least common multiple of two nonzero integers a and b is the smallest 
positive integer that is divisible by a and b. 

The least common multiple of a and b is denoted by [a, b]. (Note: The notation 
lcm (a, b ) is also commonly used to denote the least common multiple of a and b.) 

Example 3.19. We have the following least common multiples: [15, 21] = 105, 
[24, 36] = 72, [2, 20] = 20, and [7, 1 1] = 77. ◄ 

Once the prime factorizations of a and b are known, it is easy to find [a, b]. 
If a = p^p^ 2 • • • Pn and b = P\?2 ' ' ' Pn n > where p\, P2, . . . , p n are the primes 
occurring in the prime-power factorizations of a and b (where we might have a t — 0 
or b t = 0 for some i ), then for an integer to be divisible by both a and b, it is necessary 
that in the factorization of the integer, each pj occurs with a power at least as large as 
Gj and bj. Hence, [a, b], the smallest positive integer divisible by both a and b, is 

[a b] = **( 02 , 1 * 2 ) pTMut(a n ,b n ) 

where max(;c, y) denotes the larger, or maximum, of x and y. 

Finding the prime factorization of large integers is time-consuming. Therefore, we 
would prefer a method for finding the least common multiple of two integers without 
using the prime factorizations of these integers. We will show that we can find the least 
common multiple of two positive integers once we know the greatest common divisor 
of these integers. The latter can be found via the Euclidean algorithm. First, we prove 
the following lemma. 

Lemma 3.6. If x and y are real numbers, then max(x, y) + min(x, y) = x + y. 

Proof. Ifx > y,thenmin(x, y) = y andmax(x, y) = x, so that max (x, y) + min(;c, y) = 
x + y. If x < y, then min(x, y) — x and max(x, y) — y, and again we find that 
max(x, y) + min(x, y) — x + y. m 

We use the following theorem to find [a, b ] once (a, b ) is known. 

Theorem 3.16. If a and b are positive integers, then [a, b ] = ab/(a, b ), where [a, b] 
and (a, b) are the least common multiple and greatest common divisor of a and b, 
respectively. 

Proof Let a and b have prime-power factorizations a — p^'p^ 2 • • • Pn n and b — 
P\ Pi ' ' ' P«"> where the exponents are nonnegative integers and all primes occurring in 
either factorization occur in both, perhaps with 0 exponents. Now let Mj — ma x(aj, bj) 
and mj — min (aj, bj). Then we have 
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because Mj + ntj = ma x(aj, bj) + min(« 7 -, bj) = aj + bj by Lemma 3.6. ■ 

The following consequence of the fundamental theorem of arithmetic will be needed 
later. 


Lemma 3.7. Let m and n be relatively prime positive integers. Then, if d is a positive 
divisor of mn, there is a unique pair of positive divisors d x of m and d 2 of n such that 
d = d\d 2 . Conversely, if d\ and d 2 are positive divisors of m and n, respectively, then 
d = d\d 2 is a positive divisor of mn. 

Proof. Let the prime-power factorizations of m and n be m = p™ ] p 2 2 • • • pT s and n = 
^ 1 *^ 2 2 ' ' ‘ Qt*- Because (m, n) = 1, the set of primes p\, p 2 , . . . p s and the set of primes 
qi, q 2 , . . . , q t have no common elements. Therefore, the prime-power factorization of 
mn is 

mi m2 m c «i n t 

mn = p x x p 2 2 - • • p s s q x \ q 2 2 - ■ ■ q t '. 

Hence, if d is a positive divisor of mn, then 

d = p e iPi • • • p e s s q( l ql 2 ■ ■ ■ q^ 

where 0 < e t < m ( - for i = 1, 2, . . . , s and 0 < fj < rij for j = 1, 2, . . . , t. Now, let 
d l = (d, m ) and d 2 = ( d , n), so that 

d\ = p e yP 2 ■ ■ ■ P e / and d 2 = q{ x q( 2 • • • q{‘ . 

Clearly, d = d x d 2 and (d h d 2 ) = 1. This is the decomposition of d that we desire. 
Furthermore, this decomposition is unique. To see this, note that every prime power in 
the factorization of d must occur in either d { or d 2 , that prime powers in the factorization 
of d that are powers of primes dividing m must appear in d\, and that prime powers in 
the factorization of d that are powers of primes dividing n must appear in d 2 . It follows 
that di must be (d, m ) and d 2 must be (d, n). 

Conversely, let d\ and d 2 be positive divisors of m and n, respectively. Then 

d \ = P 1 P 2 • • • P e /’ 

where 0 < e,- < m, for i = 1, 2, . . . , s, and 

d 2 = q( x q 2 • • • q{\ 

where 0 < fj < nj for j = 1, 2, . . . , t. The integer 

d = d x d 2 = p\'p , ; 2 • • • p e ;q f i l qh ■ ■ • q{ 1 
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is clearly a divisor of 

m i WI9 rn „ fi 1 Wo /if 

mn=p l 1 p 2 2 • • • ^ 2 2 • • -tf, 

because the power of each prime occurring in the prime-power factorization of d is less 
than or equal to the power of that prime in the prime-power factorization of mn. u 

A Proof of a Special Case of Dirichlet’s Theorem Prime factorization can be used 
to prove special cases of Dirichlet’s theorem, which states that the arithmetic progression 
an + b contains infinitely many primes whenever a and b are relatively prime positive 
integers. We will illustrate this with a proof of Dirichlet’s theorem for the progression 
An + 3. 

Theorem 3.17. There are infinitely many primes of the form An + 3, where n is a 
positive integer. 

Before we prove this result, we prove a useful lemma. 

Lemma 3.8. If a and b are integers, both of the form An + 1, then the product ab is 
also of this form. 

Proof. Because a and b are both of the form An + 1, there exist integers r and s such 
that a = Ar + 1 and b = As + l. Hence, 

ab = {Ar + l)(4s + 1) = 16r.s + 4r + 4s + 1 = A{Ars + r + s) + 1, 
which is again of the form An Ar t. ■ 

We now prove the desired result. 

Proof Let us assume that there are only a finite number of primes of the form An + 3, 
say, Po = 3, p h p 2 , . . . , p r . Let 

Q = 4/>i Pi • • • Pr + 3. 

Then there is at least one prime in the factorization of Q of the form An + 3. Otherwise, 
all of these primes would be of the form An + 1, and by Lemma 3.8, this would imply 
that Q would also be of this form, which is a contradiction. However, none of the 
primes p 0 , p h . . . , p n divides Q. The prime 3 does not divide Q, for if 3 | Q, then 
3 | (<2 — 3) = Apip 2 • • • p r , which is a contradiction. Likewise, none of the primes pj 
can divide Q, because pj \ Q implies pj \ (Q - Apip 2 ■ ■ • p r ) = 3, which is absurd. 
Hence, there are infinitely many primes of the form An + 3. ■ 

Results About Irrational Numbers We conclude this section by proving some results 
about irrational numbers. Before we turn our attention to irrational numbers, we briefly 
consider different representations of rational numbers as quotients of integers. Note that 
if a is a rational number, then we may write a as the quotient of two integers in infinitely 
many ways, for if a =a/b, where a and b are integers with b 7^ 0, then a = ka/ kb when- 
ever A: is a nonzero integer. However, as can be seen by unique factorization, a positive 
rational number r may be written uniquely in lowest terms. This representation can be 



3.5 The Fundamental Theorem of Arithmetic 119 


obtained by canceling out common prime factors in the numerator and denominator in 
any quotient of two integers that equals r. For example, the rational number 11/21 is in 
lowest terms. We also see that 

• • • = — 33/ — 63 = -22/ -42 = -1 1/-21 = 1 1/21 = 22/42 = 33/63 = • • • . 

The next two results show that certain numbers are irrational. We start by giving another 
proof that \fl is irrational (we proved this originally in Section 1.1). 

Example 3.20. Suppose that y/2 is rational. Then *Jl = a/b, where a and b are 
relatively prime integers with b ^ 0. It follows that 2 = a 2 /b 2 , so that 2 b 2 = a 2 . Because 
2 | a 2 , it follows (see Exercise 40 at the end of this section) that 2 | a. Let a = 2c, so 
that b 2 = 2c 2 . Hence, 2 | b 2 , and by Exercise 40, 2 also divides b. However, because 
{a, b ) = 1, we know that 2 cannot divide both a and b. This contradiction shows that \/2 
is irrational. ◄ 

We can also use the following more general result to show that \[2 is irrational. 

Theorem 3.18. Let a be a real number that is a root of the polynomial x n + c n _ 1 x n_ 1 + 

1- cpc + c 0 , where the coefficients c 0 , cq, . . . , c n _ 1 are integers. Then a is either an 

integer or an irrational number. 

Proof. Suppose that a is rational. Then we can write a = a/b, where a and b are 
relatively prime integers with b ^ 0. Because a is a root of x n + c n _ 1 x n_1 + • • • + C\x + 
c 0 , we have 

(a/b) n + c n _i(a/b) n ~ l -| 1- ci(a/b ) + c 0 = 0. 

Multiplying by b n , we find that 

a n + c n _ x a n ~ x b H b c x ab n ~ l + c 0 b n = 0. 

Because 

a n = b(—c n _ia n ~ 1 Ciab n ~ 2 — c 0 fc n-1 ), 

we see that b\a n . Assume that b ^ ±1. Then b has a prime divisor p. Because p \ b and 
b | a n , we know that p \ a n . Hence, by Exercise 41, we see that p \ a. However, because 
(a, b) = 1, this is a contradiction, which shows that b = z 1 1. Consequently, if a is rational 
then a = ±a, so that a must be an integer. ■ 

We illustrate the use of Theorem 3.18 with the following example. 

Example 3.21. Let a be a positive integer that is not the mth power of an integer, so 
that ^fa is not an integer. Then ^/a is irrational by Theorem 3.18, because Ufa is a root 
of x m — a. Consequently, such numbers as >/2, ^5, \/l 1, etc., are irrational. ◄ 

The fundamental theorem of arithmetic can be used to prove the following result, 
which relates the famous Riemann zeta function to the prime numbers. 
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Theorem 3.19. If s is a real number with s > 1, then 


"Ei- n (<-±y ■ 

n= 1 p pnme 


Not surprisingly, we will not prove Theorem 3.19 because its proof depends on results 
from analysis. We note here that the proof uses the fundamental theorem of arithmetic 
to show that the term 1 /n s , where n is a positive integer, appears exactly once when the 
terms of the product on the right-hand side are expanded. To see this, we use the fact that 

rir£(i?)‘ 

So multiplying, if n = p\ x p^ • • • p k / is the prime-power factorization of n, 

appears exactly once in the expansion of the product. The details of the proof can be 
found in [HaWr08]. 

3.5 Exercises 


1. Find the prime factorizations of each of the following integers. 

a) 36 d) 289 g)515 j) 8000 

b) 39 e) 222 h) 989 k) 9555 

c) 100 f ) 256 i) 5040 1)9999 

2. Find the prime factorization of 1 1 1 , 1 1 1 . 

3. Find the prime factorization of 4,849,845. 

4. Find all of the prime factors of each of the following integers, 

a) 100,000 b) 10,500,000 c) 10! d) (*j) 

5. Find all of the prime factors of each of the following integers, 

a) 196,608 b) 7,290,000 c) 20! d) (g) 

6. Show that all of the powers in the prime-power factorization of an integer n are even if and 
only if n is a perfect square. 

7. Which positive integers have exactly three positive divisors? Which have exactly four positive 
divisors? 

8. Show that every positive integer can be written as the product of a square (possibly 1) and 
a square-free integer. A square-free integer is an integer that is not divisible by any perfect 
squares other than 1. 

9. An integer n is called powerful if, whenever a prime p divides n, p 2 divides n. Show that 
every powerful number can be written as the product of a perfect square and a perfect cube. 
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10. Show that if a and b are positive integers and a 3 | b 2 , then a \ b. 

1 1. Let p be a prime and n a positive integer. If p a \n, but p a+l X n, we say that p a exactly divides 
n, and we write p a || n. 

a) Show that if p a || m and p b \ \ n, then p a+b \ \ mn. 

b) Show that if p a || m, then p ka || m k . 

c) Show that if p a || m and p b || n with a / b, then || (m + n). 

12. Let n be a positive integer. Show that the power of the prime p occurring in the prime-power 
factorization of n ! is 

[n/p] + [ n/p 2 ] + [n/p 3 ] + • • ■ . 

13. Use Exercise 12 to find the prime-power factorization of 20!. 

14. How many zeros are there at the end of 1000! in decimal notation? How many in base 8 
notation? 

15. Find all positive integers n such that n! ends with exactly 74 zeros in decimal notation. 

16. Show that if n is a positive integer, it is impossible for n! to end with exactly 153, 154, or 155 
zeros when it is written in decimal notation. 

Let a = a + b-J^ 5, where a and b are integers. Define the norm of a, denoted by N(ct), as 
N(a) = a 2 + 5b 2 . 

17. Show that if a = a + byf^- 5 and ft = c + </>/— 5, where a, b, c, and d are integers, then 
N(ap) = N(ct)N(p). 

18. A number of the form a + 5 is prime if it cannot be written as the product of numbers 

a and ft, where neither a nor ft equals ± 1. Show that the number 2 is a prime number of the 
form a + byf^ 5. (Hint: Start with N(2) = N(afi), and use Exercise 17.) 

19. Use an argument similar to that in Exercise 1 8 to show that 3 is a prime number of the form 
a + by/^5. 

20. Use arguments similar to that in Exercise 1 8 to show that both 1 ± \/^5 are prime numbers 
of the form a + by/^5. 

21. Find two different factorizations of the number 19 into primes of the form a + b-J^ 5, where 
a and b are integers. 

* 22. Show that the set of all numbers of the form a + h V-6, where a and b are integers, does not 
enjoy the property of unique factorization. 

The next four exercises present another example of a system where unique factorization into 
primes fails. Let H be the set of all positive integers of the form 4k + 1, where k is a nonnegative 
integer. 

23. Show that the product of two elements of H is also in H. 

Q 24. An element h / 1 in H is called a Hilbert prime (named after famous German mathematician 
David Hilbert ) if the only way it can be written as the product of two integers in H is 
h = h • 1 = 1 • h. Find the 20 smallest Hilbert primes. 

25. Show that every element of H greater than 1 can be factored into Hilbert primes. 

26. Show that factorization of elements of H into Hilbert primes is not necessarily unique, by 
finding two different factorizations of 693 into Hilbert primes. 
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27. Which positive integers n are divisible by all integers not exceeding 

28. Find the least common multiple of each of the following pairs of integers. 

a) 8, 12 c) 28, 35 e) 256, 5040 

b) 14, 15 d) 11 1,303 f) 343, 999 

29. Find the least common multiple of each of the following pairs of integers. 

a) 7, 11 c) 25, 30 e) 1331, 5005 

b) 12, 18 d) 101, 333 f) 5(MO, 7700 

30. Find the greatest common divisor and least common multiple of the following pairs of 
integers. 

a) 2 • 3 2 5 3 , 2 2 3 3 7 2 c) 2 8 3 6 5 4 1 1 13 , 2 3-5- 11 - 13 

b) 2 - 3 • 5 ■ 7, 7-11-13 d)41 101 47 43 103 1001 , 41 n 43 47 83 in 

31. Find the greatest common divisor and least common multiple of the following pairs of 
integers. 

a) 2 2 3 3 5 s 7 7 , 2 7 3 s 5 3 7 2 c) 2 3 ^1 1 13 , 2-3-5-7-11-13 

b) 2 ■ 3 • 5 ■ 7 ■ 11 • 13, 17 • 19 • 23 • 29 d)47 11 79 111 101 1001 , 41 11 83 111 101 1000 

* 32. Let n be a positive integer greater than 1. Show that 1 + | + | H 1- £ is not an integer. 

33. Periodical cicadas are insects with very long larval periods and brief adult lives. For each 
species of periodical cicada with a larval period of 17 years, there is a similar species with 
a larval period of 13 years. If both the 17-year and 13-year species emerged in a particular 
location in 1900, when will they next both emerge in that location? 

34. Which pairs of integers a and b have greatest common divisor 1 8 and least common multiple 
540? 

35. Show that if a and b are positive integers, then (a, b) | [a, b\. When does (a, b) = [a, b\l 

36. Show that if a and b are positive integers, then there are divisors c of a and d of b with 
(c, d) = 1 and cd = [a, b\. 


DAVID HILBERT (1862-1943), bom in Kdnigsberg, the city famous in math- 
ematics for its seven bridges, was the son of a judge. During his tenure at 
Gottingen University, from 1892 to 1930, Hilbert made many fundamental con- 
tributions to a wide range of mathematical subjects. He almost always worked on 
one area of mathematics at a time, making important contributions, then mov- 
ing to a new mathematical subject. Some areas in which Hilbert worked are 
the calculus of variations, geometry, algebra, number theory, logic, and mathe- 
matical physics. Besides his many outstanding original contributions, Hilbert is 
remembered for his famous list of 23 difficult problems. He described these problems at the 1900 In- 
ternational Congress of Mathematicians, as achallenge to mathematicians at the birth of the twentieth 
century. Since that time, they have spurred a tremendous amount and variety of research. Although 
many of these problems have now been solved, several remain open, including the Riemann hypoth- 
esis, which is part of Problem 8 on Hilbert’s list. Hilbert was also the author of several important 
textbooks in number theory and geometry. 
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The least common multiple of the integers a h a 2 , , a n , which are not all zero, is the smallest 
positive integer that is divisible by all the integers a h a 2 , . . . , a n \ itis denoted by [a l5 a 2 , . . . , a n \. 

>■ 37. a) Show that if a, b, and c are integers, then [a, b]\cii and only if a \ c and b \ c. 

b) Show that if a h a 2 , . . . , a n and d are integers where n is a positive integer, then 
[a h a 2 , . . . ,a n ]\d if and only if a t \ d for i = 1 , 2, . . . , n. 

»• 38. Use Lemma 3.4 to show that if p is a prime and a is an integer with p \ a 2 , then p \ a. 

»- 39. Show that if p is a prime, a is an integer, and n is a positive integer such that p\a n , then 
P la- 

40. Show that if a, b, and c are integers with c \ ab, then c \ (a, c)(b, c ). 

41. a) Show that if a and b are positive integers with (a, b) = 1, then ( a n , b n ) = 1 for all positive 

integers n. 

b) Use part (a) to prove that if a and b are integers such that a n \b n , where n is a positive 
integer, then a \ b. 

42. Show that v^5 is irrational: 

a) by an argument similar to that given in Example 3.20; 

b) using Theorem 3.18. 

43. Show that yfl + \/3 is irrational. 

44. Show that log 2 3 is irrational. 

45. Show that log p b is irrational, where p is a prime and b is a positive integer that is not the 
second or higher power of p. 

46. a) Show that if a and b are positive integers, then (a, b) =(a + b, [a, b]). 

b) Use part (a) to find the two positive integers with sum 798 and least common multiple 
10,780. 

47. Show that if a, b, andc are positive integers, then ([a, b ], c) = [(a, c), ( b , c)]and[(a, b ), c ] = 
([a, c ], [b, c]). 

48. Find [6, 10, 15] and [7, 11, 13]. 

49. Show that [a lt a 2 , . . . , a n _ h a n ] = [[a b a 2 , . . . , a n _ J, a n \. 

50. Let n be a positive integer. How many pairs of positive integers satisfy [a, b] = nl (Hint: 
Consider the prime factorization of n.) 

51. a) Show that if a, b, and c are positive integers, then 

max(a, b, c) = a + b + c — min(a, b ) — min(a, c ) — min(&, c) + min(a, b, c). 

b) Use part (a) to show that 

[a,b,c ] . 

(a, b)(a, c)(b, c) 

52. Generalize Exercise 5 1 to find a formula relating (a h a 2 , , a n ) and [a x , a 2 , ... ,a n \, where 
a h a 2 , ... ,a n are positive integers. 

53. Show that if a, b, and c are positive integers, then (a, b, c)[ab, ac, be] = abc. 

54. Show that if a, b, and c are positive integers, then [a, b, c](ab, ac, be) = abc. 
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55. Show that if a, b, and c are positive integers, then {[a, b ], [a, c ], [b, c]) = [(a, b), (a, c), 
(b, c)l 

56. Prove that there are infinitely many primes of the form 6k + 5, where k is a positive integer. 

* 57. Show that if a and b are positive integers, then the arithmetic progression a, a + b, a + 

2b, , contains an arbitrary number of consecutive composite terms. 

58. Find the prime factorizations of each of the following integers. 

a) 10 6 - 1 c) 2 15 - 1 e) 2 30 - 1 

b) 10 8 - 1 d) 2 24 - 1 f) 2 36 - 1 

59. A discount store sells a camera at a price less than its usual retail price of $99 but more than 
$1. If they sell $8137 worth of this camera and the discounted dollar price is an integer, how 
many cameras did they sell? 

60. A publishing company sells $375,961 worth of a particular book. How many copies of the 
book did they sell if their price is an exact dollar amount that is more than $1? 

61. If a store sells $139,499 worth of electronic organizers at a sale price that is an exact dollar 
amount less than $300 and more than $1, how many electronic organizers did they sell? 

62. Show that if a and b are positive integers, then a 2 | b 2 implies that a \b. 

63. Show that if a, b, and c are positive integers with (a, b) = 1 and ab = c n , then there are 
positive integers d and e such that a = d n and b = e n . 

>- 64. Show that if a x , a 2 , . . . , a n are pairwise relatively prime integers, then [a x , a 2 , ... , a n \ = 
Cl\Cl2 * * * 

65. Show that among any set of n + 1 positive integers not exceeding In, there is an integer that 
divides a different integer in the set. 

66. Show that (m + n ) \/m \n ! is an integer whenever m and n are positive integers. 

* 67. Find all solutions of the equation m n = n m , where m and n are integers. 

68. Let p h p 2 , . . . , p n be the first n primes and let m be an integer with 1 <m <n. Let Q be the 
product of a set of m primes in the list and let R be the product of the remaining primes. Show 
that Q + R is not divisible by any primes in the list, and hence must have a prime factor not 
in the list. Conclude that there are infinitely many primes. 

69. This exercise presents another proof that there are infinitely many primes. Assume that there 
are exactly r primes p h p 2 , . . . , p r . Let Q k = (l”Ij = i Pj) /Pk for £ = 1, 2, . . . , r. Let 
S = X!j=i Qj • Show that S must have a prime factor not among the r primes listed. Conclude 
that there are infinitely many primes. (This proof was published by G. Metrod in 1917.) 

70. Show that if p is prime and 1 < k < p, then the binomial coefficient (£) is divisible by p. 

71. Prove that in the prime factorization of n\, where n is an integer with n > 1, there is at least 
one prime factor with 1 as its exponent. {Hint: Use Bertrand’s postulate.) 

Exercises 72 and 73 outline two additional proofs that there are infinitely many primes. 

72. Suppose that p h ... , Pj are the first j primes, in increasing order. Denote by N (x) the num- 
ber of integers n not exceeding the integer x that are not divisible by any prime exceeding pj . 
a) Show that every integer n not divisible by any prime exceeding pj can be written in the 

form n = r 2 s, where s is square-free. 
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b) Show there are only 2-> possible values of s in part (a) by looking at the prime factorization 
of such an integer n, which is a product of terms p e k k , where 0 < k < j and e k is 0 or 1. 

c) Show that if n < x , then r < yfn < where r is in part (a). Conclude that there are no 
more than *Jx different values possible for r. Conclude that N(x) < 2^ ■ s /x. 

d) Show that if the number of primes is finite and pj is the largest prime, then N(x) = x for 
all integers x. 

e) Show from parts (c) and (d) that x < 2 j ^/x, so that x < 2 lj for all x, leading to a 
contradiction. Conclude that there must be infinitely many primes. 

73. This exercise develops a proof that there are infi nitely many primes based on the fundamental 
theorem of arithmetic published by A. Auric in 1 9 15 . Assume that there are exactly r primes, 
P\< Pi< ' ' ' < P r - Suppose that n is a positive integer and let Q = /?". 

a) Show that an integer m with 1 < m < Q can be written uniquely as m = p\ l p e 2 ■ ■ ■ p e r r , 
where e t > 0 for i = 1, 2, . . . , r. Furthermore, show that for the integer m with this 
factorization, p\ l <m < Q = p“. 

b) Let C = (log p r )/(log pi). Show that e t < nC for i = 1, 2, . . . , r and that Q does not 

exceed the number of r-tuples (e h e 2 , , e r ) of exponents in the prime-power factor- 

izations of integers m with 1 <m < Q. 

c) Conclude from part (b) that Q = p^ < ( Cn + l) r <n r (C + l) r . 

d) Show that the inequality in part (c) cannot hold for sufficiently large values of n . Conclude 
that there must be infinitely many primes. 

Suppose that n is a positive integer. We define the Smarandache function S(n) by specifying that 
S(n ) is the least positive integer for which n divides S(n)\. For example, 5(8) = 4 because 8 does 
not divide 1 ! = 1, 2! = 2, and 3! = 6, but it does divide 4! = 24. 

74. Find S(n) for all positive integers n not exceeding 12. 

75. Find S(n) for n = 40, 41, and 43. 

76. Show that S(p) = p whenever p is prime. 

Let a (n) be the least inverse of the Smarandache function, that is, the least positive integer for m 
for which S(m ) = n. In other words, a(n) is the position of the first occurrence of the integer n 
in the sequence 5(1), 5(2), . . . , S(k), .... 

77. Find a (n) for all positive integers n not exceeding 11. 

78. Finda(12). 

79. Show that a (p) = p whenever p is prime. 

Let rad(n) be the product of the primes that occur in the prime-power factorization of n. For 
example, rad(360) = rad(2 3 • 3 2 • 5) = 2 • 3 • 5 = 60. 

80. Find rad(n) for each of these values of n. 

a) 300 b) 44 c) 44,004 d) 128,128 

81. Show that rad(n) = n when n is a positive integer if and only if n is square-free. 

82. What is the value of rad(n !) when n is a positive integer? 

83. Show that rad(nm) < rad(n)rad(m) for all positive integers m and n. For which positive 
integers m and n does equality hold? 
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The next six exercises establish some estimates for the size of 7t(x), the number of primes 
less than or equal to x. These results were originally proved in the nineteenth century by 
Chebyshev. 

84. Let p be a prime and let n be a positive integer. Show that p divides ^ 2 " ^ exactly 

([2 n/p] - 2 [n/p]) + ([2 n/p 2 ] - 2 [n/p 2 ]) + • • • + ([2n/p r ] - 2 [n/p 1 ]) 
times, where t = [log p 2n]. Conclude that if p r divides then p r < 2n. 

85. Use Exercise 84 to show that 

(^)<( 2n)*< 2 »>. 

86. Show that the product of all primes between n and 2 n is between ^ 2 " ^ and /i 7r(2 ”^ 7r( "> . (Hint: 
Use the fact that every prime between n and 2 n divides (2 n) ! but not (n!) 2 .) 

87. Use Exercises 85 and 86 to show that 

jt(2n) — n(n) < n log 4/ logn. 


* 88 . Use Exercise 87 to show that 

n(2n) = (jt(2n) - n(n)) + (n(n) - n(n/2)) 4- (rt(n/2) - 7r(n/4)) 

+ ■■■<« log 64/ log n. 

* 89. Use Exercises 85 and 88 to show that there are positive constants c 1 and c 2 such that 

Cj x/ log X < 7t(x) < C 2 x/ log X 

for all x > 2. (Compare this to the strong statement given in the prime number theorem, stated 
as Theorem 3.4 in Section 3.2.) 

Computations and Explorations 

1. Find the prime factorizations of 8,616,460,799; 1,234,567,890; 111,111,111,111; and 
43,854,532,213,873. 

2. Compare the number of primes of the form 4n + 1 and the number of primes of the form 
4n + 3 for a range of values of n. Can you make any conjectures about the relationship 
between these numbers? 

3. Find the smallest prime of the form an + b, given integers a and b, for a range of values of 
a and b. Can you make any conjectures about such primes? 

4. Find the number of powerful numbers (defined in Exercise 9) less than 10 m for integers 
to = 1,2, 3,4, 5, 6. 

5. Find as many pairs of consecutive positive integers that are both powerful (defined in Exercise 
9) as you can. 
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Programming Projects 

1. Find all of the positive divisors of a positive integer from its prime factorization. 

2. Find the greatest common divisor of two positive integers from their prime factorizations. 

3. Find the least common multiple of two positive integers from their prime factorizations. 

4. Find the number of zeros at the end of the decimal expansion of n !, where n is a positive 
integer. 

5. Find the prime factorization of n\, where n is a positive integer. 

6. Find the number of powerful numbers (defined in Exercise 9) less than a positive integer n. 


3.6 Factorization Methods and the Fermat Numbers 

By the fundamental theorem of arithmetic, we know that every positive integer can 
be written uniquely as the product of primes. In this section, we discuss the problem 
of determining this factorization, and we introduce several simple factoring methods. 
Factoring integers is an extremely active area of mathematical research, especially 
because it is important in cryptography, as we will see in Chapter 8. In that chapter, 
we will learn that the security of the RSA public-key cryptosystem is based on the 
observation that factoring integers is much, much harder than finding large primes. 

Before we discuss the current status of factoring algorithms, we will consider the 
most direct way to factor integers, called trial division. We will explain why it is not 
very efficient. Recall from Theorem 3.2 that n either is prime or has a prime factor not 
exceeding yfn. Consequently, when we divide n successively by the primes 2, 3, 5, ... , 
not exceeding y/n, either we find a prime factor p\ of n or we conclude that n is prime. 
If we have located a prime factor p^ofn, we next look for a prime factor of n x = n/ p h 
beginning our search with the prime p h as has no prime factor less than p h and any 
factor of n ! is also a factor of n . We continue, if necessary, determining whether any of the 
primes not exceeding yfn x divide n j. We continue in this manner, proceeding iteratively, 
to find the prime factorization of n. 

Example 3.22. Let n = 42,833. We note that n is not divisible by 2, 3, or 5, but that 
7 | n. We have 


42,833=7-6119. 

Trial divisions show that 61 19 is not divisible by any of the primes 7, 1 1, 13, 17, 19, or 
23. However, we see that 


6119 = 29-211. 


Because 29 > V211, we know that 21 1 is prime. We conclude that the prime factorization 
of 42,833 is 42,833 = 7 • 29 • 2 1 1. ◄ 
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Unfortunately, this method for finding the prime factorization of an integer is 
quite inefficient. To factor an integer N, it may be necessary to perform as many as 
n(i/N) divisions (assuming that we already have a list of the primes not exceeding 
V*t), altogether requiring on the order of *J~N log N bit operations because, from the 
prime number theorem, 7r(\/A0 is approximately */N/\og — 2y/N /log N, and 

from Theorem 27, these divisions take 0(1 og 2 iV) bit operations each. 

Modern Factorization Methods 

Mathematicians have long been fascinated with the problem of factoring integers. In 
the seventeenth century, Pierre de Fermat invented a factorization method based on the 
idea of representing a composite integer as the difference of two squares. This method 
is of theoretical and some practical importance, but is not very efficient in itself. We will 
discuss Fermat’s factorization method later in this section. 

Since 1970, many new factorization methods have been invented that make it pos- 
sible, using powerful modem computers, to factor integers that had previously seemed 
impervious. We will describe several of the simplest of these newer methods. However, 
the most powerful factorization methods currently known are extremely complicated. 
Their description is beyond the scope of this book, but we will discuss the size of the 
integers that they can factor. 

Among recent factorization methods (developed in the past 30 years) are several 
invented by J. M. Pollard, including the Pollard rho method (discussed in Section 4.6) 
and the Pollard p- 1 method (discussed in Section 6.1). These two methods are generally 
too slow for difficult factoring problems, unless the numbers being factored have special 
properties. In Section 12.5, we will introduce another method for factoring that uses 
continued fractions. A variation of this method, introduced by Morrison and Brillhart, 
was the major method used to factor large integers during the 1970s. This algorithm 
was the first factoring algorithm to run in subexponential time, which means that the 
number of bit operations required to factor an integer n could be written in the form 
n «(n) w here a(n) decreases as n increases. A useful notation for describing the number 


PIERRE DE FERMAT (1601-1665) was a lawyer by profession. He was 
a noted jurist at the provincial parliament in the French city of Toulouse. 
Fermat was probably the most famous amateur mathematician in history. He 
published almost none of his mathematical discoveries, but did correspond with 
contemporary mathematicians about them. From his correspondents, especially 
the French monk Mersenne (discussed in Chapter 6), the world learned about his 
many contributions to mathematics. Fermat was one of the inventors of analytic 
geometry. Furthermore, he laid the foundations of calculus. Fermat, along with 
Pascal, gave a mathematical basis to the concept of probability. Some of Fermat’s discoveries come to 
us only because he made notes in the margins of his copy of the work of Diophantus. His son found his 
copy with these notes, and published them so that other mathematicians would be aware of Fermat’s 
results and claims. 
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of bit operations required to factor a number by an algorithm running in subexponential 
time is L(a, b), which implies that the number of bit operations used by the algorithm is 
0(exp(6(log n) a (log log n) 1-a )). (The precise definition of L{a, b) is somewhat more 
complicated.) The variation of the continued fraction algorithm invented by Morrison and 
Brillhart uses L( 1/2, -v/3/2) bit operations. Its greatest success was the factorization of 
a 63-digit number in 1970. 

The quadratic sieve, described by Carl Pomerance in 1981, made it possible for 
the first lime to factor numbers having more than one hundred digits not of a special 
form. This method, with many enhancements added after its original invention, uses 
L( 1/2, 1) bit operations. Its great success was in factoring a 129-digit integer lmown 
as RSA-129, whose factorization was posed as a challenge by the inventors of the 
RSA cryptosystem discussed in Chapter 8. Currently, the best general-purpose factoring 
algorithm for integers with more than 115 digits is the number field sieve, originally 
suggested by Pollard and improved by Buhler, Lenstra, and Pomerance, which uses 
L (1/3, (64/9) 1/3 ) bit operations. Its greatest success has been the factorization of a 200- 
digit integer lmown as RSA- 200 in 2005. For factoring numbers with fewer than 115 
digits, the quadratic sieve slill seems to be quicker than the number field sieve. 

An important feature of the number field and quadratic sieves (as well as other meth- 
ods) is that these algorithms can be run in parallel on many computers (or processors) at 
the same time. This makes it possible for large teams of people to work on factoring the 
same integer. (See the historical note on factoring RSA-129 and other RSA challenge 
numbers, at the end of this subsection.) 

How big will the numbers be that can be factored in the future? The answer depends 
on whether (or, more likely, how soon) more efficient algorithms are invented, as well 
as how quickly computing power advances. A useful and commonly used measure 
for estimating the amount of computing required to factor integers of a certain size is 
millions of instructions per second-years, or MIPS -years. (One MIPS -year represents 
the computing power of the classical DEC VAX 1 1/780 during one year. It is still 
used as a reference point even though this computer is obsolete. Pentium PCs operate 
at hundreds of MIPS.) Table 3.2 (adapted from information in [Od95]) displays the 
computing power (in terms of MIPS -years, rounded to the nearest power of ten) required 
to factor integers of a given size using the number field sieve. Teams of people can 


Number of Decimal Digits 

Approximate MIPS- Years Required 

150 

10 4 

225 

10 8 

300 

10 11 

450 

10 16 

600 

10 20 


Thble 3.2 Computing power required to factor integers using the 
number field sieve. 
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work together, dedicating thousands or even millions of MIPS -years to factor particular 
numbers. Consequently, even without the development of new algorithms, it might not 
be surprising to see the factorization, within the next few years, of integers (not of a 
special form) with 250, or perhaps 300, decimal digits. 

For further information on factoring algorithms, we refer the reader to [Br89], 
[BrOO], [CrPo05], [Di84], [Gu75], [Od95], [Po84], [Po90], [Ri94], [R u 83], [WaSm87], 
and [Wi84], 

Fermat Factorization We now describe a factorization technique that is interesting, 
although it is not always efficient. This technique, discovered by Fermat, is known as 
Fermat factorization, and is based on the following lemma. 

Lemma 3.9. If n is an odd positive integer, then there is a one-to-one correspondence 
between factorizations of n into two positive integers and differences of two squares that 
equal n. 

Proof. Let n be an odd positive integer and let n = ab be a factorization of n into two 
positive integers. Then n can be written as the difference of two squares, because 

n — ab = s 2 — t 2 , 

where s = (a + b )/ 2 and t = (a — b )/ 2 are both integers because a and b are both odd. 

Conversely, if n is the difference of two squares, say, n=s 2 - t 2 , then we can factor 
n by noting that n = (s — f)(s + t). 


The RSA Factoring Challenge 

The RSA Factoring Challenge, which ran from 1991 to 2007, was a contest that challenged 
mathematicians to factor certain large integers. Its purpose was to track progress in factor- 
ization methods, which has important implications for cryptography (see Chapter 8). The 
first RSA challenge made in 1991, first posed in 1977 in Martin Gardner’s column in Sci- 
entific American, was to factor a 129-digit integer, known as RSA-129. A $100 prize was 
offered for the decryption of a message; the message could be decrypted easily when this 
129-digit number was factored, but not otherwise. Seventeen years passed before this chal- 
lenge was met in 1 994. The factorization of RSA- 1 29 using the quadratic sieve method took 
approximately 5000 MIPS-years, and was carried out in eight months by more than 600 
people working together. RSA Labs, a part of RSA Data Security (the company that holds 
the patents for the RSA cryptosystem discussed in Chapter 8), sponsored the challenge, and 
offered cash prizes for the factorization of integers on challenge lists. They awarded awarded 
more than $80,000 for successful factorizations. Factorizations of numbers on their list led 
to world records. For example, in 1996, a team led by Arjen Lenstra used the number field 
sieve to factor RSA- 130. This took approximately 750 MIPS-years. In 1999, the number 
field sieve was used to factor RSA-140 and RSA-155, using 2000 and 8000 MIPS-years, 
respectively. The largest number factored as part of this challenge was RSA-200, an integer 
with 200 decimal digits, which was factored in 2005 by a team led by Jens Franke at the 
University of Bonn. 
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We leave it to the reader to show that this is a one-to-one correspondence. ■ 

To carry out the method of Fermat factorization, we look for solutions of the 
equation n=x 2 — y 2 by searching for perfect squares of the form x 2 — n. Hence, to 
find factorizations of n, we search for a square among the sequence of integers 


t 2 — n, (t + l) 2 — n, (t + 2) 2 — n, . . . 


where t is the smallest integer greater than ■ s fn. This procedure is guaranteed to terminate, 
because the trivial factorization n = n • 1 leads to the equation 

Example 3.23. We factor 6077 using the method of Fermat factorization. Because 
77 < V 6077 < 78, we look for a perfect square in the sequence 

78 2 - 6077 = 7 
79 2 - 6077 = 164 
80 2 - 6077 = 323 
81 2 - 6077 = 484 = 22 2 . 

Because 6077 = 81 2 - 22 2 , we see that 6077 = (81 - 22) (81 + 22) = 59 • 103. ◄ 

Unfortunately, Fermat factorization can be very inefficient. To factor n using this 
technique, it may be necessary to check as many as (« + l)/2 — [«Jn] integers to 
determine whether they are perfect squares. Fermat factorization works best when it is 
used to factor integers having two factors of similar size. Although Fermat factorization 
is rarely used to factor large integers, its basic idea is the basis for many more powerful 
factorization algorithms used extensively in computer calculations. 


The Fermat Numbers 

The integers F n = 2 2 " + 1 are called the Fermat numbers. Fermat conjectured that these 
integers are all primes. Indeed, the first few are primes, namely, F 0 = 3, iq = 5, F 2 = 17, 
F 3 = 257, and F 4 = 65,537. Unfortunately, F 5 = 2 2 + 1 is composite, as we will now 
demonstrate. 


Example 3.24. The Fermat number F 5 = l 2 * + 1 is divisible by 641. We can show 
that 641 1 F 5 without actually performing the division, using several not-so-obvious 
observations. Note that 


641 = 5 • 2 7 + 1 = 2 4 + 5 4 . 
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Hence, 

2 2$ + 1 = 2 32 + 1 = 2 4 • 2 28 + 1 = (641 - 5 4 )2 28 + 1 

= 641 ■ 2 ffl - (5 ■ 2 7 ) 4 + 1 = 641 • 2 28 - (641 - l) 4 + 1 
= 641(2 28 - 64 1 3 + 4 • 641 2 - 6 • 641 + 4). 

Therefore, we see that 641 1 F 5 . ◄ 

The following result is a valuable aid in the factorization of Fermat numbers. 

Theorem 3.20. Every prime divisor of the Fermat number F n = 2 2 " + 1 is of the form 

l n+2 k + 1. 


The proof of Theorem 3.20 is presented as an exercise in Chapter 11. Here, we 
indicate how Theorem 3.20 is useful in determining the factorization of Fermat numbers. 

Example 3.25. From Theorem 3.20, we know that every prime divisor of F 3 = 2 23 + 
1 = 257 must be of the form 2 5 k + 1 = 32 • k + 1. Because there are no primes of this 
form less than or equal to y/257, we can conclude that F 3 = 257 is prime. ◄ 

Example 3.26. When factoring F 6 = 2 2<i + 1, we use Theorem 3.20 to see that all of 
its prime factors are of the form 2 8 fc + 1 = 256 • k + 1. Hence, we need only perform 
trial divisions of F 6 by primes of the form 256 • k + 1 that do not exceed yfF^. After 
considerable computation, we find that a prime divisor is obtained with k = 1071, that 
is, 274,177 = (256 • 1071 + 1) | F 6 . ◄ 

^ Known Factorizations of Fermat Numbers A tremendous amount of effort has been 
devoted to the factorization of Fermat numbers. As yet, no new Fermat primes (beyond 
F 4 ) have been found. Many mathematicians believe that no additional Fermat primes 
exist. We will develop a primality test for Fermat numbers in Chapter 11, which has 
been used to show that many Fermat numbers are composite. (When such a test is used, 
it is not necessary to use trial division to show that a number is not divisible by a prime 
not exceeding its square root.) 

As of early 2010, a total of 243 Fermat numbers are known to be composite, but 
the complete factorizations are known for only seven composite Fermat numbers: F 5 , 
F 6> f i> f z> f 9> f io, and *ii. The Fermat number F 9 , a number with 155 decimal 
digits, was factored in 1990 by Mark Manasse and Aijen Lenstra, using the number field 
sieve, which breaks the problem of factoring an integer into a large number of smaller 
factoring problems that can be done in parallel. Though Manasse and Lenstra farmed out 
computations for the factorization of F 9 to hundreds of mathematicians and computer 
scientists, it still took about two months to complete the computations. (For details of 
the factorization of F 9 , see [Ci90].) 

The prime factorization of F n was discovered by Richard Brent in 1989, using a 
factorization algorithm known as the elliptic curve method (described in detail in [Br89]). 
There are 617 decimal digits in F n , and F n = 3 19,489 • 974,849 • P 2 i * F ii ■ ^ 564 > where 
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P 2 1 , P 22 > and P 564 are primes with 21, 22, and 564 digits, respectively. It took until 1995 
for Brent to completely factor * 10 - He discovered, using elliptic curve factorization, that 
F 10 = 45,592,577 • 6,487,031,809 • P 40 • P 2 52 , where P 40 and P 2 52 are primes with 40 
and 252 digits, respectively. 

Many Fermat numbers are known to be composite because at least one prime factor 
of these numbers has been found, using results such as Theorem 3.20. It is also known that 
F n is composite for n = 14, 20, 22, and 24, but no factors of these numbers have yet been 
found. The largest n for which it is known that F n is composite is n = 2,478,782. (^ 382,447 
was the first Fermat number with more than 100,000 digits shown to be composite; it 
was shown to be composite in July 1999.) F 33 is the smallest Fermat number that has not 
yet been shown to be composite, if it is indeed composite. Because of steady advances 
in computer software and hardware, we can expect new results on the nature of Fermat 
numbers and their factorizations to be found at a healthy rate. 

The factorization of Fermat numbers is part of the Cunningham project, sponsored 
by the American Mathematical Society. Devoted to building tables of all the known 
factors of integers of the form b n ± 1, where b = 2, 3, 5, 6, 7, 10, 11, and 12, the 
project’s name refers to A. J. Cunningham, a colonel in the British army, who compiled 
a table of factors of integers of this sort in the early years of the twentieth century. The 
factor tables as of 1988 are contained in [Br88]; the current state of affairs is available 
over the Internet. Numbers of the form b n ± 1 are of special interest because of their 
importance in generating pseudorandom numbers (see Chapter 10), their importance in 
abstract algebra, and their significance in number theory. 

In conjunction with the Cunningham project, a list of the “ten most wanted” integers 
to be factored is kept by Samuel Wagstaff of Purdue University. For example, until it was 
factored in 1990, F 9 was on this list. With advances in factoring techniques and computer 
power, increasingly larger numbers are included on the list. In the early 1980s, the largest 
had between 50 and 70 decimal digits; in the early 1990s, they had between 90 and 130 
decimal digits; in the early 2000s, they had between 150 and 200 decimal digits, as of 
early 2010, they had between 185 and 233 decimal digits. 

Using the Fermat Numbers to Prove the Infinitude of Primes It is possible to 
prove that there are infinitely many primes using Fermat numbers. We begin by showing 
that any two distinct Fermat numbers are relatively prime. The following lemma will be 
used. 


Lemma 3.10. Let F k = 2 2 * + 1 denote the kth Fermat number, where k is a nonnegative 
integer. Then for all positive integers n, we have 

F 0 FiF 2 • • • F n _i = F n - 2. 

Proof We will prove the lemma using mathematical induction. For n = 1, the identity 
reads 


*0 = ^- 2 . 
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This is obviously true, because F 0 = 3 and F l = 5. Now, let us assume that the identity 
holds for the positive integer n, so that 

FqF x F 2 • • • F n _i = F n — 2. 

With this assumption, we can easily show that the identity holds for the integer n + 1, 
because 

F 0 FiF 2 • • • F n _ x F n = (F 0 F 1 F 2 • • • F n _i)F n 

= ( F n -2 )F n = (2 2 ” - 1)(2 2 " + 1) 

= (2 2 ”) 2 - 1 = 2 2 ” +1 - 1 = F n+l - 2. ■ 

This leads to the following theorem. 

Theorem 3.21. Let m and n be distinct nonnegative integers. Then the Fermat numbers 
F m and F n are relatively prime. 

Proof. Let us assume that m < n. By Lemma 3. 10, we know that 
F 0 F 1 F 2 • • • F m • • • F n _i = F n - 2. 

Assume that d is a common divisor of F m and F n . Then, Theorem 1.8 tells us that 
d | (F n — F 0 FiF 2 ■ ■ ■ F m • ■ ■ F n ~i) = 2. 

Hence, either d = 1 or d = 2. However, because F m and F n are odd, d cannot be 2. 
Consequently, d = 1 and (F m , F„) = 1. ■ 

Using Fermat numbers, we now give another proof that there are infinitely many 
primes. First, we note that by Lemma 3.1 in Section 3.1, every Fermat number F n has a 
prime divisor p n . Because (F m , F„ ) = 1, we know that p m ^ p n wheneverm 7^ n. Hence, 
we can conclude that there are infinitely many primes. 

The Fermat Primes and Geometry The Fermat primes are important in geometry. 
The proof of the following famous theorem of Gauss may be found in [Or88]. 

Theorem 3.22. A regular polygon of n sides can be constructed using a straightedge 
(unmarked ruler) and compass if and only if n is the product of a nonnegative power of 
2 and a nonnegative number of distinct Fermat primes. 


3.6 Exercises 

1. Find the prime factorization of each of the following positive integers, 

a) 33,776,925 b) 210,733,237 c) 1,359,170,111 

2. Find the prime factorization of each of the following positive integers, 

a) 33,108,075 b) 7,300,977,607 c) 4,165,073,376,607 

3. Using the Fermat factorization method, factor each of the following positive integers, 

a) 143 b) 2279 c) 43 d) 11,413 
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4. Using the Fermat factorization method, factor each of the following positive integers. 

a) 8051 c) 46,009 e) 3,200,399 

b) 73 d) 11,021 f) 24,681,023 

5. Show that the last two decimal digits of a perfect square must be one of the following pairs: 
00, el, eA, 25, o 6, e9, where e stands for any even digit and o stands for any odd digit. 
(Hint: Show that n 2 , (50 + n) 2 , and (50 — n) 2 all have the same final decimal digits, and then 
consider those integers n with 0 < n < 25.) 

6. Explain how the result of Exercise 5 can be used to speed up Fermat’s factorization method. 

7. Show that if the smallest prime factor of n is p, then x 2 — n will not be a perfect square for 
x > (n + p 2 )/(2p), with the single exception x = (n + l)/2. 


Exercises 8-10 involve the method of Dr aim factorization. To use this technique to search for a 
factor of the positive integer n = n x , we start by using the division algorithm, to obtain 

n l = 3?i + r h 0 < r x < 3. 

Setting m x =n x , we let 


m 2 = m x — 2q x , n 2 = m 2 + r x . 
We use the division algorithm again, to obtain 

n 2 — 5q 2 + r 2 , 0 < r 2 < 5, 


and we let 


m- i = m 2 — 2q 2 , n 3 = m 3 + r 2 . 

We proceed recursively, using the division algorithm, to write 

n k = (2k + 1 )q k + r k , 0<r k <2k + 1, 


and we define 


m k = m k _ x - 2q k _ h n k = m k + r k _ l . 

We stop when we obtain a remainder r k = 0. 

8. Show that n k = kn x - (2k + \)(q x + q 2 -\ F q k - 1 ) and that m k = n x - 2 • (q x + q 2 + 

F 9*-i)- 

9. Show that if (2k + 1) | n, then(2fc + 1) | n k and n = (2k + l)mk+v 

10. Factor 5899 using Draim factorization. 

In Exercises 1 1-13, we develop a factorization technique known as Euler’s method. It is applicable 
when the integer being factored is odd and can be written as the sum of two squares in two different 
ways. Let n be odd and let n = a 2 + b 2 = c 2 + d 2 , where a and c are odd positive integers and b 
and d are even positive integers. 

11. Let u = (a — c, b — d). Show that u is even, and that if r = (a — c)/u and s = (d — b)/u, 
then (r, s ) = 1, r(a + c) = s(d + b ), and s \ (a + c). 

12. Let sv = a + c. Show that rv = d + b, v = (a + c, d + b), and v is even. 

13. Conclude that n may be factored as n = [(u/2) 2 + (v/2 ) 2 ](r 2 + s 2 ). 
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14 . Use Euler’s method to factor each of the following integers. 

a) 221= 10 2 + 11 2 = 5 2 + 14 2 

b) 2501 = 50 2 + l 2 = 49 2 + io 2 

c) 1,000,009 = 1000 2 + 3 2 = 972 2 + 235 2 

15 . Show that any number of the form 2 4 "" 1 " 2 + 1 can be factored easily by the use of the identity 
4x 4 + 1 = (2jc 2 + 2x + 1)(2jc 2 - 2x + 1). Factor 2 18 + 1 using this identity. 

16 . Show that if a is a positive integer and a m + 1 is an odd prime, then m = 2" for some 

nonnegative integer n. (Hint: Recall the identity a m + 1 = (a k + l)(a* (2-1) - H 

a k + 1), where m = kl and l is odd.) 

17. Show that the last digit in the decimal expansion of F n = 2 2 " + 1 is 7 if n > 2. (Hint: Using 
mathematical induction, show that the last decimal digit of 2 2 " is 6.) 

18 . Use the fact that every prime divisor of F 4 = 2 2<t + 1 = 65,537 is of the form 2 6 k + 1 = 
64 k + 1 to verify that F 4 is prime. (You should need only one trial division.) 

19 . Use the fact that every prime divisor of F 5 = 2 25 + 1 is of the form 2 7 k + 1 = 128 k + 1 to 
demonstrate that the prime factorization of F 5 is F s = 641 • 6,700,417. 

20 . Find all primes of the form 2 2 " + 5, where n is a nonnegative integer. 

21. Estimate the number of decimal digits in the Fermat number F n . 

* 22 . What is the greatest common divisor of n and F n , where n is a positive integer? Prove that 
your answer is correct. 

23 . Show that the only integer of the form 2 m + 1, where m is a positive integer, that is a power 
of a positive integer (i.e., is of the form n k , where n and k are positive integers with k >2) 
occurs when m = 3. 

24 . Factoring kn by the Fermat factorization method, where k is a small positive integer, is 
sometimes easier than factoring n by this method. Show that to factor 901 by the Fermat 
factorization method, it is easier to factor 3 • 901 = 2703 than to factor 901. 

Computations and Explorations 

1. Using trial division, find the prime factorization of several integers of your choice exceeding 

10 , 000 . 

2. Factor several integers of your choice exceeding 10,000, using Fermat factorization. 

3. Factor the Fermat numbers F 6 and F 1 using Theorem 3.20. 

Programming Projects 

1. Given a positive integer n, find the prime factorization of n. 

2. Given a positive integer n, perform the Fermat factorization method on n. 

3 . Given a positive integer n , perform Draim factorization on n (see the preamble to Exercise 8). 

4 . Check the Fermat number F n , where n is a positive integer, for prime factors, using Theorem 
3.20. 
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3.7 Linear Diophantine Equations 

Consider the following problem: A man wishes to purchase $510 of travelers’ checks. 
The checks are available only in denominations of $20 and $50. How many of each 
denomination should he buy? If we let x denote the number of $20 checks and y the 
number of $50 checks that he should buy, then the equation 20* + 50y = 510 must be 
satisfied. To solve this problem, we need to find all solutions of this equation, where both 
* and y are nonnegative integers. 

A related problem arises when a woman wishes to mail a package. The postal clerk 
determines the cost of postage to be 83 cents, but only 6-cent and 15-cent stamps are 
available. Can some combination of these stamps be used to mail the package? To answer 
this , we first let * denote the number of 6-cent stamps and y the number of 1 5-cent stamps 
to be used. Then we must have 6x 4- 15y = 83, where both * and y are nonnegative 
integers. 

When we require that solutions of a particular equation come from the set of integers, 
we have a diophantine equation. These equations get their name from the ancient Greek 
mathematician Diophantus, who wrote on equations where solutions are restricted to 
rational numbers. The equation ax + by = c, where a, b, and c are integers, is called a 
linear diophantine equation in two variables. 

Note that the pair of integers (*, y) is a solution of the linear diophantine equation 
ax + by = c if and only if the (*, y) is a lattice point in the plane that lies on the 
line ax + by = c. We illustrate this in Figure 3.2 for the linear diophantine equation 
lx + 3y = 5. 

The first person to describe a general solution of linear diophantine equations was the 
Indian mathematician Brahmagupta, who included it in a book he wrote in the seventh 
century. We now develop the theory for solving such equations. The following theorem 
tells us when such an equation has solutions, and when there are solutions, explicitly 
describes them. 


Theorem 3.23. Let a and b be integers with d = {a, b). The equation ax -\- by = c has 
no integral solutions if d / c. If d \ c, then there are infinitely many integral solutions. 


DIOPHANTUS (c. 250) wrote the Arithmetica, which is the earliest known book on 
algebra; it contains the first systematic use of mathematical notation to represent unknowns 
in equations and powers of these unknowns. Almost nothing is known about Diophantus, 
other than that he lived in Alexandria around 250 C.E. The only source of details about his 
life comes from an epigram found in a collection called the Greek Anthology: “Diophantus 
passed one sixth of his life in childhood, one twelfth in youth, and one seventh as a bachelor. 
Five years after his marriage was bom a son who died four years before his father, at half 
his father’s age.” From this the reader can infer that Diophantus lived to the age of 84. 
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Figure 3.2 Solutions of2x + 3y — 5 in integers x and y correspond to the lattice points on the 
line 2x + 3 y = 5. 

Moreover, if x = x 0 , y = y 0 is a particular solution of the equation, then all solutions are 
given by 

x = x 0 + (b/d)n, y = y 0 - (< a/d)n , 

where n is an integer. 

Proof. Assume that x and y are integers such that ax + by = c. Then, because d \ a 
and d \ b, by Theorem 1.9, d \ c as well. Hence, if d / c, there are no integral solutions 
of the equation. 

Now assume that d \ c. By Theorem 3.8, there are integers s and t with 
(3.3) d = as + bt. 

Because d \ c, there is an integer e with de = c. Multiplying both sides of (3.3) by e, we 
have 


c = de = (as + bt)e = a(se ) + b(te ). 

Hence, one solution of the equation is given by x = x 0 and y = y 0 > where x 0 = se and 
y 0 = te. 
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To show that there are infinitely many solutions, let x = x 0 + (b/d)n and y = 
y 0 — ( a/d)n , where n is an integer. We will first show that any pair (x, y), with x = 
* 0 + ( b/d)n , y = y 0 — ( a/d)n , where n is an integer, is a solution; then we will show 
that every solution must have this form. We see that this pair (x , y) is a solution, because 

ax + by = ax 0 + a(b/d)n + by 0 — b(a/d)n = ax 0 + by 0 = c. 

We now show that every solution of the equation ax + by = c must be of the form 
described in the theorem. Suppose that x and y are integers with ax + by = c. Because 


ax 0 + by 0 = c, 


by subtraction we find that 


(ax + by) - (ax 0 + by 0 ) = 0, 


which implies that 


a(x - xq) + b(y - y 0 ) = 0. 


Hence, 


a(x - x 0 ) = b(y 0 - y). 

Dividing both sides of this last equation by d, we see that 
(a/d)(x - x 0 ) = (b/d)(y 0 - y). 

By Theorem 3.6, we know that (a/d, b/d) = 1. Using Lemma 3.4, it follows that 
(a/d) | (y 0 — y). Hence, there is an integer n with (a/d)n = y 0 — y; this means that 
y = y 0 — (a/d)n. Now, putting this value of y into the equation a(x — x 0 ) = b(y 0 — y), 
we find that a(x — x 0 ) = b(a/d)n, which implies that x =x 0 + (b/d)n. m 

The following examples illustrate the use of Theorem 3.23. 

Example 3.27. By Theorem 3.23, there are no integral solutions of the diophantine 
equation 15x + 6y = 7, because (15, 6) = 3 but 3/7. ◄ 


BRAHMAGUPTA (598-670), thought to have been bom in Ujjain, India, became the 
head of the astronomical observatory there; this observatory was the center of Indian math- 
ematical studies at that time. Brahmagupta wrote two important books on mathematics 
and astronomy, Brahma-sphuta-siddhanta (“The Opening of the Universe”) and Khan- 
dakhadyaka, written in 628 and 665, respectively. He developed many interesting formulas 
and theorems in planar geometry, and studied arithmetic progressions and quadratic equa- 
tions. Brahmagupta developed new algebraic notation, and his understanding of the number 
system was advanced for his time. He is considered to be the first person to describe a gen- 
eral solution of linear diophantine equations. In astronomy, he studied eclipses, positions 
of the planets, and the length of the year. 
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Example 3.28. By Theorem 3 .23 , there are infinitely many solutions of the diophantine 
equation 21x + 14y = 70, because (21, 14) = 7 and 7 | 70. To find these solutions, note 
that by the Euclidean algorithm, 1 • 21 + (- 1) • 14 = 7, so that 10-21+ (- 10) • 14 = 70. 
Hence, jc 0 = 10, y 0 = — 10 is aparticular solution. All solutions are given by jc = 10 + 2 n , 
y = — 10 — 3n, where n is an integer. ◄ 

We will now use Theorem 3.23 to solve the two problems described at the beginning 
of the section. 

Example 3.29. Consider the problem of forming 83 cents in postage using only 6- and 
15-cent stamps. If x denotes the number of 6-cent stamps and y denotes the number 
of 15-cent stamps, we have 6x + 15y = 83. Because (6, 15) = 3 does not divide 83, by 
Theorem 3.23 we know that there are no integral solutions. Hence, no combination of 
6- and 15-cent stamps gives the correct postage. ◄ 

Example 3.30. Consider the problem of purchasing $510 of travelers’ checks, using 
only $20 and $50 checks. How many of each type of check should be used? 

Let x be the number of $20 checks and let y be the number of $50 checks. We have 
the equation 20jc + 50y = 5 10. Note that the greatest common divisor of 20 and 50 is 
(20, 50) = 10. Because 10 | 510, there are infinitely many integral solutions of this linear 
diophantine equation. Using the Euclidean algorithm, we find that 20(— 2) + 50 = 10. 
Multiplying both sides by 51, we obtain 20(-102) + 50(51) = 510. Hence, a particular 
solution is given by jc 0 = —102 and y 0 = 51. Theorem 3.23 tells us that all integral 
solutions are of the form x = — 102 + 5 n and y = 51 — 2n. Because we want both x and 
y to be nonnegative, we must have - 102 + 5n > 0 and 51 - 2n > 0; thus, n > 20 2/5 
and n <25 1/2. Because n is an integer, it follows that n = 21, 22, 23, 24, or 25. Hence, 
we have the following five solutions: (jc, y) = (3, 9), (8, 7), (13, 5), (18, 3), and (23, 1). 
So the teller can give the customer 3 $20 checks and 9 $50 checks, 8 $20 checks and 7 
$50 checks, 13 $20 checks and 5 $50 checks, 18 $20 checks and 3 $50 checks, or 23 
$20 checks and 1 $50 check. ◄ 

We can extend Theorem 3.23 to cover linear diophantine equations with more than 
two variables, as the following theorem demonstrates. 

Theorem 3.24. If a h a 2 , . . . , a n are nonzero integers, then the equation a^x x + a 2 x 2 + 
• • • + a n x n = c has an integral solution if and only if d = (a h a 2 , , a n ) divides c. 

Furthermore, when there is a solution, there are infinitely many solutions. 

Proof. If there are integers jq, x 2 , . . . , x n such that cqjq + < 22*2 + • • • + a n x n = c, then 
because d divides a, for i = 1, 2, . . . , n, by Theorem 1.9, d also divides c. Hence, if d / c 
there are no integral solutions of the equation. 

We will use mathematical induction to prove that there are infinitely many integral 
solutions when d \ c. Note that by Theorem 3.23 this is true when n = 2. 

Now, suppose that there are infinitely many solutions for all equations in n vari- 
ables satisfying the hypotheses. By Theorem 3.9, the set of linear combinations a n x n + 
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a n+l x n+l i s the same as the set of multiples of (a n , a n+ 1 ). Hence, for every integer y 
there are infinitely many solutions of the linear diophantine equation a n x n + a n +\X n+ \ = 
( a n , a n+l )y. It follows that the original equation in n + 1 variables can be reduced to a 
linear diophantine equation in n variables: 

a\ x \ + a 2 x 2 + • • • + a„— 1 *„— i + (a n , a n+l )y = c. 

Note that c is divisible by (a h a 2 , . . . , a n _\, (a n , a n+1 )) because, by Lemma 3.2, this 
greatest common divisor equals (a\, a 2 , , a n , a n+ 1 ). By the inductive hypothesis, this 

equation has infinitely many integer solutions, as it is a linear diophantine equation in n 
variables where the greatest common divisor of the coefficients divides the constant c. 
It follows that there are infinitely many solutions to the original equation. ■ 

A method for solving linear diophantine equations in more than two variables can 
be found using the reduction in the proof of Theorem 3.24. We leave an application of 
Theorem 3.24 to the exercises. 


7 Exercises 

1. For each of the following linear diophantine equations, either find all solutions or show that 
there are no integral solutions. 

a) 2x + 5y = 1 1 c) 21x + 14y = 147 e) 1402* + 1969y = 1 

b) \lx + 13y = 100 d) 60x + 18y = 97 

2. For each of the following linear diophantine equations, either find all solutions or show that 
there are no integral solutions. 

a) 3x + 4y = 7 c) 30x + 47y = -11 e) 102* + lOOly = 1 

b) I2x + 18y = 50 d) 25* + 95y = 970 

3. Japanese businessman returning home from a trip to North America exchanges his U.S. and 
Canadian dollars for yen. If he received 9,763 yen, and received 99 yen for each U.S. and 86 
yen for each Canadian dollar, how many of each type of currency did he exchange? 

4. A student returning from Europe changes her euros and Swiss francs into U.S. money. If she 
received $46.58 and received $1.39 for each euro and 910 for each Swiss franc, how much 
of each type of currency did she exchange? 

5. A professor returning home from conferences in Paris and London changes his euros and 
pounds into U.S. money. If he received $125.78 and received $1.31 for each euro and $1.61 
for each pound, how much of each type of currency did he exchange? 

6. The Indian astronomer and mathematician Mahavira, who lived in the ninth century, posed 
this puzzle: A band of 23 weary travelers entered a lush forest where they found 63 piles each 
containing the same number of plantains and a remaining pile containing seven plantains. 
They divided the plantains equally. How many plantains were in each of the 63 piles? Solve 
this puzzle. 

7. A grocer orders apples and oranges at a total cost of $8.39. If apples cost him 250 each and 
oranges cost him 180 each, how many of each type of fruit did he order? 

8. A shopper spends a total of $5.49 for oranges, which cost 180 each, and grapefruit, which 
cost 330 each. What is the minimum number of pieces of fruit the shopper could have bought? 
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9. A postal clerk has only 14- and 21-cent stamps to sell. What combinations of these may be 
used to mail a package requiring postage of exactly each of the following amounts? 
a) $3.50 b) $4.00 c) $7.77 

10. At a clambake, the total cost of a lobster dinner is $1 1, and that of a chicken dinner is $8. 
What can you conclude if the total bill is each of the following amounts? 
a) $777 b) $96 c) $69 

* 11. Find all integer solutions of each of the following linear diophantine equations. 

a) 2 jc + 3y + 4 Z = 5 c) IOIjc + 102y + 103z = 1 

b) 7 jc + 21y + 35z = 8 

* 12. Find all integer solutions of each of the following linear diophantine equations. 

a) 2x 1 + 5x 2 + 4x 3 + 3jc 4 = 5 c) 15 jcj + 6jc 2 + 10jc 3 + 21jc 4 + 35jc 5 = 1 

b) 12 jcj + 21x 2 “I - 9jc 3 + 15jc 4 = 9 

13. Which combinations of pennies, dimes, and quarters have a total value of 990? 

14. How many ways can change be made for one dollar, using each of the following coins? 

a) dimes and quarters c) pennies, nickels, dimes, and quarters 

b) nickels, dimes, and quarters 

In Exercises 15-17, we consider simultaneous linear diophantine equations. To solve these, first 
eliminate all but two variables and then solve the resulting equation in two variables. 

15. Find all integer solutions of the following systems of linear diophantine equations. 

a) jc + y + z= 100 c) jc 4- y + z+ w = 100 

jc + 8y + 50z = 156 jc + 2y + 3z + 4w = 300 

x + 4y + 9z + l6w = 1000 

b) jc + y + z= 100 
jc + 6y + 21z = 121 

16. A piggy bank contains 24 coins, all of which are nickels, dimes, or quarters. If the total value 
of the coins is two dollars, what combinations of coins are possible? 

17. Nadir Airways offers three types of tickets on their Boston-New York flights. First-class 
tickets are $140, second-class tickets are $1 10, and standby tickets are $78. If 69 passengers 
pay a total of $6548 for their tickets on a particular flight, how many of each type of ticket 
were sold? 

18. Is it possible to have 50 coins, all of which are pennies, dimes, or quarters, with a total worth 
$3? 

Let a and b be relatively prime positive integers, and let n be a positive integer. A solution (jc, y) 
of the linear diophantine equation a x + by = n is nonnegative when both jc and y are nonnegative. 

* 19. Show that whenever n>(a — l)(fc — 1), there is a nonnegative solution of ax + by = n. 

* 20. Show that if n = ab - a - b, then there are no nonnegative solutions of ax + by = n. 
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* 21. Show that there are exactly ( a — 1 )(b — l)/2 nonnegative integers n < ab — a — b such that 

the equation has a nonnegative solution. 

22. The post office in a small Maine town is left with stamps of only two values. They discover that 
there are exactly 33 postage amounts that cannot be made up using these stamps, including 
460. What are the values of the remaining stamps? 

* 23. A Chinese puzzle found in the sixth-century work of mathematician Chang Ch’iu-chien, 

called the “hundred fowls” problem, asks: If a cock is worth five coins, a hen three coins, and 
three chickens together are worth one coin, how many cocks, hens, and chickens, totaling 
100, can be bought for 100 coins? Solve this problem. 

* 24. Find all solutions where * and y are integers to the diophantine equation 

- + - - — 
x y 14 


Computations and Explorations 

1. Find all solutions of the linear diophantine equations 10234357* + 331 108819y = 1 and 
10234357* + 331108819y = 123456789. 

2. Find all solutions of the linear diophantine equations 1122334455* + lOlOlOlOlOly + 
9898989898z = 1 and 1122334455* + lOlOlOlOlOly + 9898989898z = 987654321. 

3. Determine which positive integers are of the form 999* + lOOly , where * and y are nonneg- 
ative integers. Confirm that your results agree with the Exercises 19-21. 

Programming Projects 

1. Given the coefficients of a linear diophantine equation in two variables, find all its solutions. 

2. Given the coefficients of a linear diophantine equation in two variables, find all its positive 
solutions. 

3. Given the coefficients of a linear diophantine equation in three variables, find all its positive 
solutions. 

* 4. Given the coefficients a and b, find all positive integers n for which the linear diophantine 

equation ax + by = n has no positive solutions (see the preamble to Exercise 19). 
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Congruences 


T he language of congruences was invented by the great German mathematician 
Gauss. It allows us to work with divisibility relationships in much the same way 
as we work with equalities. We will develop the basic properties of congruences in this 
chapter, describe how to do arithmetic with congruences, and study congruences involv- 
ing unknowns, such as linear congruences. An example leading to a linear congruence is 
the problem of finding all integers x such that when lx is divided by 11, the remainder 
is 3. We will also study systems of linear congruences that arise from such problems as 
the ancient Chinese puzzle that asks for a number that leaves a remainder of 2, 3, and 2, 
when divided by 3, 5, and 7, respectively. We will learn how to solve systems of linear 
congruences in one unknown, such as the system that results from this puzzle, using a 
famous method known as the Chinese remainder theorem. We will also learn how to 
solve polynomial congruences. Finally, we will introduce a factoring method, known as 
the Pollard rho method, which we use congruences to specify. 


4.1 Introduction to Congruences 

The special language of congruences that we introduce in this chapter, which is extremely 
useful in number theory, was developed at the beginning of the nineteenth century by 
Karl Friedrich Gauss, one of the most famous mathematicians in history. 

The language of congruences makes it possible to work with divisibility relation- 
ships much as we work with equalities. Prior to the introduction of congruences, the 
notation used for divisibility relationships was awkward and difficult to work with. The 
introduction of a convenient notation helped accelerate the development of number the- 
ory. 

Definition. Let m be a positive integer. If a and b are integers, we say that a is congruent 
to b modulo m if m | (a - b). 

If a is congruent to b modulo m, we write a = b (mod m). If m X (fl — b), we write 
a ^ b (mod m), and say that a and b are incongruent modulo m. The integer m is called 
the modulus of the congruence. The plural of modulus is moduli. 

Example 4.1. We have 22 = 4 (mod 9), because 9 | (22 - 4) = 18. Likewise, 3 = -6 
(mod 9) and 200 = 2 (mod 9). On the other hand, 13 ^ 5 (mod 9) because 
9 / (13 — 5) = 8. ◄ 
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Congruences often arise in everyday life. For instance, clocks work either modulo 
12 or 24 for hours and modulo 60 for minutes and seconds; calendars work modulo 7 for 
days of the week and modulo 12 for months. Utility meters often operate modulo 1000, 
and odometers usually work modulo 100,000. 

In working with congruences, we will sometimes need to translate them into equal- 
ities. The following theorem helps us to do this. 

Theorem 4.1. If a and b are integers, then a=b (mod m) if and only if there is an 
integer k such that a = b + km. 

Proof. 1fa=b (mod m), then m \ (a — b). This means that there is an integer k with 
km = a — b, so that a = b + km. 

Conversely, if there is an integer k with a = b + km, then km = a — b. Hence, 
m\ (a — b ), and consequently, a = b (mod m). ■ 

Example 4.2. We have 19 = -2 (mod 7) and 19 = -2 + 3 • 7. ◄ 

We now show that congruence satisfy a number of important properties. 

Theorem 4.2. Let m be a positive integer. Congruences modulo m satisfy the following 
properties: 

(i) Reflexive property. If a is an integer, then a = a (mod m) . 


KARL FRIEDRICH GAUSS (1777-1855) was the son of a bricklayer. It was 
quickly apparent that he was a prodigy. In fact, at the age of 3, he corrected 
an error in his father’s payroll. In bis first arithmetic class, the teacher gave 
an assignment designed to keep the class busy, namely, to find the sum of the 
first 100 positive integers. Gauss, who was 8 at the time, realized that this 
sum is 50 ' 101 = 5050, because the terms can be grouped as 1 + 100 = 101, 

2 + 99 = 101 49 + 52 = 101, and 50 + 51 = 101. In 1796, Gauss made an 

important discovery in an area of geometry that had not progressed since ancient 
times. In particular, he showed that a regular heptadecagon (17-sided polygon) could be drawn using 
just a ruler and a compass. In 1799, he presented the first rigorous proof of the fundamental theorem 
of algebra, which states that a polynomial of degree n with real coefficients has exactly n roots. Gauss 
made fundamental contributions to astronomy, including calculating the orbit of the asteroid Ceres. On 
the basis of this calculation, Gauss was appointed director of the Gottingen Observatory. He laid the 
foundations of modem number theory with his book Disquisitiones Arithmeticae in 1801. Gauss was 
called “Princeps Mathematiconun” (the Prince of Mathematicians) by his contemporaries. Although 
Gauss is noted for bis many discoveries in geometry, algebra, analysis, astronomy, and mathematical 
physics, he had a special interest in number theory. Ibis can be seen from his statement: “Mathematics 
is the queen of sciences, and the theory of numbers is the queen of mathematics.” Gauss made most of 
his important discoveries early in his life, and spent his later years refining them. Gauss made several 
fundamental discoveries that he did not reveal. Mathematicians making the same discoveries were 
often surprised to find that Gauss had described the results years earlier in his unpublished notes. 




4.1 Introduction to Congruences 147 


(ii) Symmetric property. If a and b are integers such that a = b (mod m), then 
b = a (mod m ). 

(iii) Transitive property. If a, b, and c are integers with a = b (mod m) and b = 
c (mod m), then a = c (mod m). 

Proof. 

(i) We see that a = a (mod m), because m \ (a — a) = 0. 

(ii) If a = b (mod m), then m \ (a — b). Hence, there is an integer k such that km = 
a — b. This shows that (—k)m = b — a, so that m \ (b — a). Consequently, 
b = a (mod m). 

(iii) If a = b (mod m) and b = c (mod m), then m\ (a — b) and m\(b — c). Hence, 

there are integers k and l such that km =a — b and Im = b — c. Therefore, 
a — c = (a — b) + (b — c) = km + Im = (k + l)m. It follows that m \ {a — c) 
and a = c (mod m) . ■ 

By Theorem 4.2, we see that the set of integers is divided into m different sets called 
congruence classes modulo m, each containing integers that are mutually congruent 
modulo m. Note that when m = 2, this gives us the two classes of even and odd integers. 

If you are familiar with the notion of relations on a set, Theorem 4.2 shows that 
congruence modulo m, where m is a positive integer, is an equivalence relation and the 
congruence classes modulo m are the equivalence classes of the equivalence relation 
defined by this relation. 

Example 4.3. The four congruence classes modulo 4 are given by 
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= — 5 = — 1 = 3 = 7 = 11=. . 

. (mod 4). 


Suppose that m is a positive integer. Given an integer a, by the division algorithm 
we have a = bm + r, where 0 < r < m — 1. We call r the least nonnegative residue of a 
modulo m. We say that r is the result of reducing a modulo m. Similarly, when we know 
that a is not divisible by m, we call r the least positive residue of a modulo m. 

Another commonly used notation, especially in computer science, is a mod m = r, 
which denotes that r is the remainder obtained when a is divided by m. For example, 17 
mod 5 = 2 and — 8 mod 7 = 6. Note that mod m is a function from the set of integers to 
the set of {0, 1, 2, . . . , m - 1}. 

The relationship between these two different notations is clarified by the next 
theorem, whose proof is left to the reader as Exercises 10 and 11 at the end of this 
section. 

Theorem 4.3. If a and b are integers and m is a positive integer, then a = b (mod m) 
if and only if a mod m=b mod m. 
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Now note that from the equation a = bm + r, it follows that a = r (mod m). Hence, 
every integer is congruent modulo m to one of the integers 0, 1, . . . , m — 1, namely, the 
remainder when it is divided by m. Because no two of the integers 0, 1, . . . , m — 1 are 
congruent modulo m, we have m integers such that every integer is congruent to exactly 
one of these m integers. 

Definition. A complete system of residues modulo m is a set of integers such that every 
integer is congruent modulo m to exactly one integer of the set. 

Example 4.4. The division algorithm shows that the set of integers 0, 1, 2, . . . , m — 1 
is a complete system of residues modulo m. This is called the set of least nonnegative 
residues modulo m. ◄ 

Example 4.5. Let m be an odd positive integer. Then the set of integers 

I m — 1 m — 3 101 m — 3 m — 1 1 

2 ’ 2 ~ ’ ’■■■’ 2 ’ 2 J’ 

the set of absolute least residues modulo m, is a complete system of residues. ◄ 

We will often do arithmetic with congruences, which is called modular arithmetic. 
Congruences have many of the same properties that equalities do. First, we show that 
an addition, subtraction, or multiplication to both sides of a congruence preserves the 
congruence. 

Theorem 4.4. If a, b, c, and m are integers, with m > 0, such that a = b (mod m), then 

(i) a + c = b + c (mod m), 

(ii) a — c = b — c (mod m), 

(iii) ac — be (mod m). 

Proof. Because a = b (mod m), we know thatm | (a — b). From the identity (a + c) — 
(b + c) = a — b, we see that m \ ((a + c) — (b + c)), so that (i) follows. Likewise, (ii) 
follows from the fact that (a — c) — (b — c) = a — b. To show that (iii) holds, note 
that ac — bc = c(a — b). Because m \ (a — b), it follows that m \ c(a — b ), and hence, 
ac — be (mod m). » 

Example 4.6. Because 19 = 3 (mod 8), it follows from Theorem 4.4 that 26 = 19 + 
7 = 3 + 7= 10 (mod 8), 15 = 19 — 4 = 3 — 4 = — 1 (mod 8), and 38 = 19 • 2 = 3 - 2 = 
6 (mod 8). ◄ 

What happens when both sides of a congruence are divided by an integer? Consider 
the following example. 


Example 4.7. We have 14 = 7- 2 = 42 = 8 (mod 6). But we cannot cancel the com- 
mon factor of 2, because 7^4 (mod 6). ◄ 
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This example shows that it is not necessarily true that we preserve a congruence 
when we divide both sides by the same integer. However, the following theorem gives a 
valid congruence when both sides of a congruence are divided by the same integer. 

Theorem 4.5. If a, b, c, and m are integers such that m > 0, d = (c, m), and ac = 
be (mod m), then a = b (mod m/d). 

Proof. If ac = be (mod m), we know that m | ( ac — be) = c(a — b). Hence, there is 
an integer k with c(a — b) = km. By dividing both sides by d, we have ( c/d)(a — b) = 
k(m/d). Because (m/d, c/d) = 1, by Lemma 3.4 it follows that m/d | ( a — b). Hence, 
a = b (mod m/d). m 

Example 4.8. Because 50 = 20 (mod 15) and (10, 15) = 5, we see that 50/10 = 
20/10 (mod 15/5), or 5 = 2 (mod 3). ◄ 

The following corollary, which is a special case of Theorem 4.5, is used often; it 
allows us to cancel numbers that are relatively prime to the modulus m in congruences 
modulo m. 

Corollary 4.5.1. If a, b, c, and m are integers such that m > 0, (c, m) = 1, and 
ac — be (mod m), then a = b (mod m). 

Example 4.9. Because 42 = 7 (mod 5) and (5, 7) = 1, we can conclude that 42/7 — 
7/7 (mod 5), or that 6 = l(mod5). ◄ 

The following theorem, which is more general than Theorem 4.4, is also useful. Its 
proof is similar to the proof of Theorem 4.4. 

Theorem 4.6. If a, b, c, d, and m are integers such that m > 0, a = b (mod m), and 
c = d (mod m), then 

(i) a + c = b + d (mod m), 

(ii) a — c = b — d (mod m), 

(iii) ac — bd (mod m). 

Proof. Because a = b (mod m) and c = d (mod m), we know that m\ (a — b) and 
m\(c — d). Hence, there are integers k and l with km=a — b and Im = c — d. 

To prove (i), note that (a + c) — (b + d) = (a — b) + (c — d) = km + Im = 
(k + l)m. Hence, m \[(a + c) — (b + d)\ Therefore, a + c = b + d (mod m). 

To prove (ii), note that (a — c) — (b — d) = (a — b) — (c — d) = km — Im = 
(k — l)m. Hence, m\[(a — c) — (b — d)\ so that a — c = b — d (mod m). 

To prove (iii), note that ac — bd = ac — be + be — bd = c(a — b) + b(c — d) = 
ckm + blm = m(ck + bl). Hence, m \ (ac — bd). Therefore, ac — bd (mod m). ■ 



150 Congruences 


Example 4.10. Because 13 = 3 (mod 5) and 7 = 2 (mod 5), using Theorem 4.6 we 
see that 20 = 13 + 7 = 3 + 2 = 5 (mod 5), 6 = 13 - 7 = 3 - 2 = 1 (mod 5), and 91 = 
13-7 = 3-2 = 6 (mod5). ◄ 


The following lemma helps us to determine whether a set of m numbers forms a 
complete set of residues modulo m. 

Lemma 4.1. A set of m incongruent integers modulo m forms a complete set of residues 
modulo m. 

Proof. Suppose that a set of m incongruent integers modulo m does not form a complete 
set of residues modulo m. This implies that at least one integer a is not congruent to any 
of the integers in the set. Hence, there is no integer in the set congruent modulo m to 
the remainder of a when it is divided by m. Hence, there can be at most m — 1 different 
remainders of the integers when they are divided by m. It follows (by the pigeonhole 
principle, which says that if more than n objects are distributed into n boxes, at least two 
objects are in the same box) that at least two integers in the set have the same remainder 
modulo m. This is impossible, because these integers are incongruent modulo m. Hence, 
any m incongruent integers modulo m form a complete system of residues modulo m. 


Theorem 4.7. If r h r 2 , ... ,r m is a complete system of residues modulo m, and if a 
is a positive integer with (a, m) = 1, then 

ari + b, ar 2 + b, . . . , ar m + b 
is a complete system of residues modulo m for any integer b. 

Proof. First, we show that no two of the integers 

ari + b, ar 2 + b, . . . , ar m + b 
are congruent modulo m. To see this, note that if 

arj + b = ar k + b (mod m), 
then, by (ii) of Theorem 4.4, we know that 

arj — ar k (modm). 

Because (a, m) = 1, Corollary 4.5.1 shows that 

rj — r k (mod m). 

Given that rj ^ r k (mod m) if j ^ k, we conclude that j = k. 

By Lemma 4.1, because the set of integers in question consists of m incongruent 
integers modulo m, these integers form a complete system of residues modulo m. m 

The following theorem shows that a congruence is preserved when both sides are 
raised to the same positive integral power. 
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Theorem 4.8. If a, b, k, and m are integers such that k > 0, m > 0, and a=b (mod m), 
then a k — b k (mod m). 

Proof. Because a = b (mod m), we have m \ (a — b), and because 

a k -b k = (a - b){a k ~ l + a k ~ 2 b 4 f ab k ~ 2 4- b k ~ l ), 

we see that (a — b) \ ( a k — b k ). Therefore, by Theorem 1.8 it follows that m\(a k — b k ). 
Hence, a k — b k (mod m). ■ 

Example 4.11. Because 7 = 2 (mod 5), Theorem 4.8 tells us that 343 = 7 3 = 2 3 = 
8 (mod 5). ◄ 

The following result shows how to combine congruences of two numbers to different 
moduli. 

Theorem 4.9. \fa=b (mod mf), a = b (mod m 2 ), . . . ,a = b (mod m k ), where a, b, 
m h m 2 , . . . , m k are integers with m h m 2 , . . . , m k positive, then 

a = b (mod [/»i, m 2 , . . . , m k ]), 

where [m h m 2 , . . . , m k ] denotes the least common multiple of m h m 2 , . . . , m k . 

Proof. The hypothesis a = b (mod mf), a=b (mod m 2 ), . . . ,a = b (mod m k ), means 
that mj | ( a — b), m 2 \ (a — b ), . . . , m k \ (a — b ). By Exercise 39 of Section 3.5, we see 
that 


[m h m 2 , ..., m k ] | {a - b). 

Consequently, 

a=b (mod [m h m 2 , . . . , m k ]). a 

The following result is an immediate and useful consequence of this theorem. 

Corollary 4.9.1. If a = b (mod mf), a = b (mod m 2 ), . . . , a = b (mod m k ), where a 
and b are integers and m h m 2 , . . . , m k are pairwise relatively prime positive integers, 
then 


a = b (mod mpn 2 • • • m k ). 

Proof. Because m h m 2 , . . . , m k are pairwise relatively prime, Exercise 64 of Section 
3.5 tells us that 


[m h m 2 , . . . , m k ] = m\m 2 ■ ■ • m k . 
Hence, by Theorem 4.9, we know that 

a = b (mod m 1 m 2 • • • m k ). 


Fast Modular Exponentiation 

In our subsequent studies, we will be working with congruences involving large powers 
of integers. For example, we will want to find the least positive residue of 2 644 modulo 
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645. If we attempt to find this least positive residue by first computing 2 644 , we would 
have an integer with 194 decimal digits, a most undesirable thought. Instead, to find 2 644 
modulo 645 we first express the exponent 644 in binary notation: 

(644) 10 = (1010000100) 2 . 

Next, we compute the least positive residues of 2, 2 2 , 2 4 , 2 8 , . . . , 2 512 by successively 
squaring and reducing modulo 645. This gives us the congruences 
2=2 (mod 645) 

2 2 = 4 (mod 645) 

2 4 = 16 (mod 645) 

2 8 = 256 (mod 645) 

2 16 = 391 (mod 645) 

2 32 = 16 (mod 645) 

2 64 = 256 (mod 645) 

2 128 = 391 (mod 645) 

2 256 = 16 (mod 645) 

2 512 = 256 (mod 645). 

We can now compute 2 644 modulo 645 by multiplying the least positive residues of the 
appropriate powers of 2. This gives 

2 644 = 2 5 12 + 128+4 = 2 5i2 2 i28 2 4 = 256 ■ 391 • 16 = 1,601,536 = 1 (mod 645). 

We have just illustrated a general procedure for modular exponentiation, that is, for 
computing b N modulo m, where b, m, and N are positive integers. We first express the 
exponent N in binary notation, as N = (a k a k _ l . . . a ^ 0 ) 2 - We then find the least positive 
residues of b, b 2 , b 4 , . . . ,b 2 modulo m, by successively squaring and reducing modulo 
m . Finally, we multiply the least positive residues modulo m of b lJ for those j with aj = 1, 
reducing modulo m after each multiplication. 

In our subsequent discussions, we will need an estimate for the number of bit opera- 
tions needed for modular exponentiation. This is provided by the following proposition. 

Theorem 4,10. Let b, m, and N be positive integers such that b < m. Then the 
least positive residue of b N modulo m can be computed using 0((log 2 m) 2 log 2 N) bit 
operations. 

Proof. To find the least positive residue of b N modulo m, we can use the algorithm 
just described. First, we find the least positive residues of b, b 2 , b 4 , ... ,b 2 modulo m, 
where 2 k < N < 2* +1 , by successively squaring and reducing modulo m. This requires a 
total of O ((log 2 m) 2 log 2 N) bit operations, because we perform k = [log 2 N] squarings 
modulo m, each requiring 0((log 2 m) 2 ) bit operations. Next, we multiply together the 
least positive residues of the integers b 2J corresponding to the binary digits of N that 
are equal to 1, and we reduce modulo m after each multiplication. This also requires 
0((log 2 m) 2 log 2 N) bit operations, because there are at most log 2 N multiplications, 
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each requiring 0((log 2 m) 2 ) bit operations. Therefore, a total of 0((log 2 m) 2 log 2 N) 
bit operations is needed. ■ 

,1 Exercises 

1. Show that each of the following congruences holds. 

a) 1 3 = 1 (mod 2) d) 69 = 62 (mod 7) g) 111= —9 (mod 40) 

b) 22 = 7 (mod 5) e) -2 = 1 (mod 3) h) 666 = 0 (mod 37) 

c) 91 = 0 (mod 13) f) —3 = 30 (mod 11) 

2. For each of these pairs of integers, determine whether they are congruent modulo 7. 

a) 1,15 c) 2, 99 e)-9,5 

b) 0, 42 d) — 1, 8 f) -1,699 

3. For which positive integers m is each of the following statements true? 
a) 27 = 5 (mod m) b) 1000 = 1 (mod m) c) 1331 = 0 (mod m) 

4. Show that if a is an even integer, then a 2 = 0 (mod 4), and if a is an odd integer, then 
a 2 = 1 (mod 4). 

5. Show that if a is an odd integer, then a 2 = 1 (mod 8). 

6. Find the least nonnegative residue modulo 13 of each of the following integers. 

a) 22 c) 1001 e) — 100 

b) 100 d) -1 f)-1000 

7. Find the least nonnegative residue modulo 28 of each of the following integers. 

a) 99 c) 12,345 e) -1000 

b) 1100 d) -1 f) -54,321 

8. Find the least positive residue of 1 ! + 2! + 3! + • • • + 10! modulo each of the following 
integers. 

a) 3 b) 11 c) 4 d) 23 

9. Find the least positive residue of 1! + 2! + 3! + • • • + 100! modulo each of the following 
integers. 

a) 2 b) 7 c) 12 d) 25 

10. Show that if a, b, and m are integers with m > 0 and a = b (mod m), then a mod m = b 

mod m. 

11. Show that if a, b, and m are integers with m > 0 and a mod m = b mod m, then a = b 
(mod m). 

12. Show that if a, b, m, and n are integers such that m > 0, n > 0, n \ m, and a = b (mod m), 
then a = b (mod n ). 

13. Show that if a, b, c, and m are integers such that c > 0, m > 0, and a = b (mod m), then 
ac = be (mod me). 

14. Show that if a, b, and c are integers with c > 0 such that a = b{ mod c), then (a, c) = ( b , c). 

15. Show that if aj = bj (mod m) for j = 1, 2, . . . , n, where m is a positive integer and aj, bj, 
j = 1, 2, . . . , n, are integers, then 
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a ) ^ a ; - = bj (mod m). b) ]~[ aj = ]~[ bj (mod m). 

7=1 7=1 7=1 7=1 

16. Find a counterexample to the statement that if m is an integer with m >2, then ( a + b) mod 
m = a mod m + b mod m for all integers a and b. 

17. Find a counterexample to the statement that if m is an integer with m >2, then ( ab ) mod 
m = (a mod m)(b mod m) for all integers a and b. 

18. Show that if m is a positive integer with m > 2, then ( a + b) mod m = (a mod m + b mod 
m ) mod m for all integers a and b. 

19. Show that if m is a positive integer with m >2, then (ab) mod m — ((a mod m)(b mod m)) 
mod m for all integers a and b. 

In Exercises 20-22, construct tables for arithmetic modulo 6 using the least nonnegative residues 
modulo 6 to represent the congruence classes. 

20. Construct a table for addition modulo 6. 

21. Construct a table for subtraction modulo 6. 

22. Construct a table for multiplication modulo 6. 

23. What time does a 12-hour clock read 

a) 29 hours after it reads 11 o’clock? c) 50 hours before it reads 6 o’clock? 

b) 100 hours after it reads 2 o’clock? 

24. Which decimal digits occur as the final digit of a fourth power of an integer? 

25. What can you conclude if a 2 = b 2 (mod p), where a and b are integers and p is prime? 

26. Show that if a k = b k (mod m) and a k+1 = b k+1 (mod m), where a, b, k, and m are integers 
with k > 0 and m > 0 such that (a, m) = 1, then a = b (mod m). If the condition (a, m) = 1 
is dropped, is the conclusion that a = b (mod m) still valid? 

27. Show that if n is an odd positive integer, then 

l + 2 + 3 + -- - + (n — 1) = 0 (mod n). 

Is this statement true if n is even? 

28. Show that if n is an odd positive integer or if n is a positive integer divisible by 4, then 

l 3 + 2 3 + 3 3 + • • • + (n - l) 3 = 0 (modn). 

Is this statement true if n is even but not divisible by 4? 

29. For which positive integers n is it true that 

l 2 + 2 2 + 3 2 H b (n — l) 2 = 0 (mod n)? 

30. Show by mathematical induction that if n is a positive integer, then 4 W = 1 + 3n (mod 9) . 

31. Show by mathematical induction that if n is a positive integer, then 5 M = 1 + 4 n (mod 16). 

32. Give a complete system of residues modulo 13 consisting entirely of odd integers. 

33. Show that if n = 3 (mod 4), then n cannot be the sum of the squares of two integers. 
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34. Show that if p is prime, then the only solutions of the congruence x 2 = x (mod p) are those 
integers x such that x = 0 or 1 (mod p). 

35. Show that if p is prime and k is a positive integer, then the only solutions of x 1 = x (mod p k ) 
are those integers x such that x = 0 or 1 (mod p k ). 

36. Find the least positive residues modulo 47 of each of the following integers, 

a) 2 32 b) 2 47 c) 2 200 

37. Let mi, m 2 , m k be pairwise relatively prime positive integers. Let M = m\m 2 • • • m k 
and Mj = M/mj for j = 1, 2, .... k. Show that 

M\ai + M 2 a 2 + ■ ■ ■ + M k a k 

runs through a complete system of residues modulo M when a h a 2 , . . . , a k run through 
complete systems of residues modulo m h m 2 , . . . , m k , respectively. 

38. Explain how to find the sum u + v from the least positive residue of u + v modulo m, where 
u and v are positive integers less than m. (Hint: Assume that u < v, and consider separately 
the cases where the least positive residue of u + v is less than u, and where it is greater than 
v.) 

39. On a computer with word size w, multiplication modulo n where n < w/2 can be performed 
as outlined. Let T = [>/w + 1/2], and t = T 2 — n. For each computation, show that all the 
required computer arithmetic can be done without exceeding the word size. (This method 
was described by Head [He80]). 

a) Show thatO <t <T. 

b) Show that if x and y are nonnegative integers less than n, then 

x = aT + b, y = cT + d, 

where a, b, c, and d are integers such that 0 <a<T, 0 <b <T, 0 <c<T, and 
0 <d<T. 

c) Let z = ad + be (mod n), such that 0 < z < n. Show that 

xy = act + zT + bd (mod n). 

d) Let ac = eT + /, where e and / are integers with 0 < e < T and 0 < f <T. Show that 

xy = (z + et)T + ft + bd (mod n). 

e) Let v = z + et (mod n), such that 0 < v < n. Show that we can write 

v = gT +h, 

where g and h are integers with 0 < g <T,0 <h < T, and such that 
xy = hT + (f + g)t + bd (mod n). 

f) Show that the right-hand side of the congruence of part (e) can be computed without 
exceeding the word size, by first finding j such that 


j =(f + 8)t (mod n) 
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and 0 < j <n, and then finding k such that 

k = j + bd (mod n) 

and 0 < k < n, so that 

x y = hT + k (modn). 

This gives the desired result. 

40. Develop an algorithm for modular exponentiation from the base 3 expansion of the exponent. 

41. Find the least positive residue of each of the following. 

a) 3 10 modulo 11 c) 5 16 modulo 17 

b) 2 12 modulo 13 d) 3 22 modulo 23 

e) Can you propose a theorem from the above congruences? 

42. Find the least positive residues of each of the following. 

a) 6! modulo 7 c) 12! modulo 13 

b) 10! modulo 11 d) 16! modulo 17 

e) Can you propose a theorem from the above congruences? 

* 43. Show that for every positive integer m there are infinitely many Fibonacci numbers /„ such 

that m divides /„. (Hint: Show that the sequence of least positive residues modulo m of the 
Fibonacci numbers is a repeating sequence.) 

44. Prove Theorem 4.8 using mathematical induction. 

45. Show that the least nonnegative residue modulo m of the product of two positive integers less 
than m can be computed using O (log 2 m) bit operations. 

* 46. Five men and a monkey are shipwrecked on an island. The men have collected a pile of 

coconuts that they plan to divide equally among themselves the next morning. Not trusting 
the other men, one of the group wakes up during the night and divides the coconuts into five 
equal parts with one left over, which he gives to the monkey. He then hides his portion of the 
pile. During the night, each of the other four men does exactly the same thing by dividing the 
pile he finds into five equal parts, leaving one coconut for the monkey, and hiding his portion. 
In the morning, the men gather and split the remaining pile of coconuts into fi ve parts and 
one is left over for the monkey. What is the minimum number of coconuts the men could 
have collected for their original pile? 

* 47. Answer the question in Exercise 46, where instead of five men and one monkey, there are n 

men and k monkeys, and at each stage the monkeys receive one coconut each. 

We say that the polynomials f(x) and g(jc) are congruent modulo n as polynomials if for each 
power of x the coefficients of that power in f(x) and g(jc) are congruent modulo n. For example, 
1 Lr 3 + Jt 2 + 2 and jc 3 - 4jc 2 + 5jc + 22 are congruent as polynomials modulo 5. The notation 
f(x ) = g(x) (mod n) is often used to denote that /(jc) and g(jc) are congruent as polynomials 
modulo n. In Exercises 48-52, assume that n is a positive integer with n > 1 and that all 
polynomials have integer coefficients. 

48. a) Show that if /(jc) and g(x) are congruent as polynomials modulo n, then for every integer 
a, f(a ) = g(a) (modn). 

b) Show that it is not necessarily true that /(jc) and g(jc) are congruent as polynomials 
modulo n if f(a) = g(a) (mod n) for every integer a. 
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49. Show that if fi(x) and g^Jt) are congruent as polynomials modulo n and f 2 (x) and g 2 (x) 
are congruent as polynomials modulo n, then 

a ) (/i + fi)( x ) (#i + # 2 X*) are congruent as polynomials modulo n. 

b) ( fif 2 )(x) and (gig 2 )(jc) are congruent as polynomials modulo n. 

50. Show that if f(x) is a polynomial with integer coefficients and f(a) = 0 (mod n), then there 
is a polynomial g(jc) with integer coefficients such that f(x) and (jc - a)g(x) are congruent 
as polynomials modulo n. 

51. Suppose that p is prime, f(x) is a polynomial with integer coefficients, a h a 2 , ... ,a k 
are incongruent integers modulo p, and f (a j) = 0 (mod p) for j = 1, 2, . . . , k. Show that 
there exists a polynomial g(x) with integer coefficients such that f(x) and (jc — a\)(x — 
a 2 ) ■ ■ ■ (x — a k )g(x) are congruent as polynomials modulo p. 

52. Use Exercise 51 to show that if p is a prime, fix) is a polynomial with integer coefficients, 
and x n is the largest power of x with a coefficient not divisible by p, then the congruence 
f(x) = 0 (mod p) has at most n incongruent solutions modulo p. 

Computations and Explorations 

1. Compute the least positive residue modulo 10,403 of 765 1 891 . 

2. Compute the least positive residue modulo 10,403 of 7651 20! . 

Programming Projects 

1. Find the least nonnegative residue of an integer with respect to a fixed modulus. 

2. Perform modular addition and subtraction when the modulus is less than half of the word size 
of the computer. 

3. Perform modular multiplication when the modulus is less than half of the word size of the 
computer, using Exercise 31. 

4. Perform modular exponentiation using the algorithm described in the text. 


4.2 Linear Congruences 

A congruence of the form 


ax =b (modm), 

where x is an unknown integer, is called a linear congruence in one variable. In this 
section, we will see that the study of such congruences is similar to the study of linear 
diophanline equations in two variables. 

We first note that if x = x 0 is a solution of the congruence ax =b (mod m), and if 
xi = x 0 (mod m), then ax\ = ax 0 = b (mod m), so that xq is also a solution. Hence, if 
one member of a congruence class modulo m is a solution, then all members of this class 
are solutions. Therefore, we may ask how many of the m congruence classes modulo 
m give solutions; this is exactly the same as asking how many incongruent solutions 
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there are modulo m. The following theorem tells us when a linear congruence in one 
variable has solutions, and if it does, tells exactly how many incongruent solutions there 
are modulo m. 

Theorem 4.11. Let a, b, and m be integers such that m > 0 and (a, m) =d.Ifd / b, 
then ax =b (mod m) has no solutions. If d \ b, then ax =b (mod m) has exactly d 
incongruent solutions modulo m. 

Proof. By Theorem 4.1, the linear congruence ax = b (mod m) is equivalent to the 
linear diophantine equation in two variables ax — my = b. The integer x is a solution of 
ax = b (mod m) if and only if there is an integer y such that ax — my = b. By Theorem 
3.23, we know that if d / b, there are no solutions, whereas if d \ b, ax — my = b has 
infinitely many solutions, given by 

x = x 0 + ( m/d)t , y = y 0 + ( a/d)t , 

where x =x 0 and y = y 0 is a particular solution of the equation. The values of x given 
above, 


x = xq + ( m/d)t , 

are the solutions of the linear congruence; there are infinitely many of these. 

To determine how many incongruent solutions there are, we find the condition 
that describes when two of the solutions jq = jc 0 + ( m/d)ti and x 2 =x 0 + ( m/d)t 2 are 
congruent modulo m. If these two solutions are congruent, then 

x 0 + ( m/d)ti = jc 0 + ( m/d)t 2 (mod m). 

Subtracting jc 0 from both sides of this congruence, we find that 

(m/d)ti = ( m/d)t 2 (modm). 

Now (m, m/d) = m/d because {m/d) \ m, so that by Theorem 4.4, we see that 
t\ = t 2 (mod d). 

This shows that a complete set of incongruent solutions is obtained by taking x = 
x Q + ( m/d)t , where t ranges through a complete system of residues modulo d. One 
such set is given by x = x 0 + (m /d)t , where t = 0, 1, 2, . . . , d — 1. ■ 

A linear congruence where the multiplier a and the modulus m are relatively prime 
has a unique solution, as Corollary 4.1 1.1 shows. 

Corollary 4.11.1. If a and m are relatively prime integers with m > 0 and b is an 
integer, then the linear congruence ax = b (mod m) has a unique solution modulo m. 

Proof. Because (a, m) = 1, we know that (a, m) \ b. Consequently, by Theorem4.1 1, it 
follows that the congruence ax =b (mod m) has exactly (a, m) = 1 incongruent solution 
modulo m. u 


We now illustrate the use of Theorem 4. 1 1 . 
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Example 4.12. To find all solutions of 9x = 12 (mod 15), we first note that because 
(9, 15) = 3 and 3 | 12, there are exactly three incongruent solutions. We can find these 
solutions by first finding a particular solution and then adding the appropriate multiples 
of 15/3 = 5. 

To find a particular solution, we consider the linear diophantine equation 9x — 15y = 
12. The Euclidean algorithm shows that 

15 = 9-1 + 6 
9 = 6- 1 + 3 

6 = 3-2, 

so that 3 = 9 — 61 = 9— (15 — 9- 1) = 9 2 — 15. Hence, 9 • 8 - 15 • 4 = 12, and a 
particular solution of 9x — 15y = 12 is given by x 0 = 8 and y 0 = 4. 

From the proof of Theorem 4.1 1, we see that a complete set of three incongruent 
solutions is given by x = x 0 = 8 (mod 15), jc = jc 0 + 5=13 (mod 15), and x=x 0 + 5- 
2= 18 = 3 (mod 15). ◄ 

Modular I nverses We now consider congruences of the special form ax = 1 (mod m). 
By Theorem 4.11, there is a solution to this congruence if and only if (a, m) = 1, and 
then all solutions are congruent modulo m. 

Definition. Given an integer a with (a, m) = 1, an integer solution* of a* = 1 (mod m) 
is called an inverse of a modulo m. 

Example 4.13. Because the solutions of 7* = 1 (mod 3 1) satisfy * = 9 (mod 3 1) , 9 and 
all integers congruent to 9 modulo 31 are inverses of 7 modulo 31. Analogously, because 
9-7=1 (mod 3 1), 7 is an inverse of 9 modulo 31. ◄ 

When we have an inverse of a modulo m, we can use it to solve any congruence 
of the form ax =b (mod m). To see this, let a be an inverse of a modulo m, so that 
aa = 1 (mod m). Then, if ax = b (mod m), we can multiply both sides of this congruence 
by a to find that a(ax) = ab (mod m), so that x =ab (mod m). 

Example 4.14. To find the solutions of lx = 22 (mod 3 1), we multiply both sides of 
this congruence by 9, an inverse of 7 modulo 31, to obtain 9 • lx = 9 • 22 (mod 31). 
Hence, * = 198= 12 (mod 31). ◄ 

Example 4.15. To find all solutions of 7* = 4 (mod 12), we note that because (7, 12) = 
1, there is a unique solution modulo 12. To find this, we need only obtain a solution of 
the linear diophantine equation lx — \2y = 4. The Euclidean algorithm gives 

12 = 7-1 + 5 

7 = 5- 1 + 2 
5 = 2-2+ 1 
2=1-2. 
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Hence, l = 5- 2- 2 = 5-(7-5-l)-2 = 5- 3- 2- 7=(12-7-l)-3-2-7=12- 
3-5-7. Therefore, a particular solution to the linear diophantine equation is * 0 = —20 
and jo = —12. Hence, all solutions of the linear congruences are given by x = — 20 = 
4 (mod 12). ◄ 

Later we will want to know which integers are their own inverses modulo p, where 
p is prime. The following theorem tells us which integers have this property. 

Theorem 4.12. Let p be prime. The positive integer a is its own inverse modulo p if 
and only if a = 1 (mod p) or a = — 1 (mod p). 

Proof. If a = 1 (mod p) or a = — 1 (mod p), then a 2 = 1 (mod p), so that a is its own 
inverse modulo p. 

Conversely, if a is its own inverse modulo p, then a 2 = a • a = l(mod p). Hence, 
p | (a 2 — 1). Becausea 2 — 1 = (a — l)(a + 1), this implies that p \ (a — 1) or p \ (a + 1). 
Therefore, a = 1 (mod p) or a = — 1 (mod p). m 


4.2 Exercises 

1. Find all solutions of each of the following linear congruences. 

a) 2je = 5 (mod 7) c) 19* = 30 (mod 40) e) 103* = 444 (mod 999) 

b) 3 jc = 6 (mod 9) d) 9 jc = 5 (mod 25) f) 980* = 1500 (mod 1600) 

2. Find all solutions of each of the following linear congruences. 

a) 3* = 2 (mod 7) c) 17* = 14 (mod 21) e) 128* = 833 (mod 1001) 

b) 6* = 3 (mod 9) d) 15* = 9 (mod 25) f) 987* = 610 (mod 1597) 

3. Find all solutions to the congruence 6,789,783* = 2,474,010 (mod 28,927,591). 

4. Suppose that p is prime and that a and b are positive integers with (p, a) = 1. The following 
method can be used to solve the linear congruence ax = b (mod p). 

a) Show that if the integer * is a solution of ax = b (mod p), then * is also a solution of the 
linear congruence 


ape = —b[m/a] (mod p), 

where a x is the least positive residue of p modulo a. Note that this congruence is of 
the same type as the original congruence, with a positive integer smaller than a as the 
coefficient of*. 

b) When the procedure of part (a) is iterated, one obtains a sequence of linear congruences 
with coefficients of * equal to a 0 = a > a x > a 2 > ■ • ■ . Show that there is a positive integer 
n with a n = 1, so that at the nth stage, one obtains a linear congruence * = B (mod p). 

c) Use the method described in part (b) to solve the linear congruence 6* = 7 (mod 23). 

5. An astronomer knows that a satellite orbits the Earth in a period that is an exact multiple of 
1 hour that is less than 1 day. If the astronomer notes that the satellite completes 1 1 orbits in 
an interval that starts when a 24-hour clock reads 0 hours and ends when die clock reads 17 
hours, how long is the orbital period of the satellite? 
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6. For which integers c, 0 < c < 30, does the congruence 12* = c (mod 30) have solutions? 
When there are solutions, how many incongruent solutions are there? 

7 . For which integers c, 0 < c < 1001, does the congruence 154* = c (mod 1001) have solu- 
tions? When there are solutions, how many incongruent solutions are there? 

8. Find an inverse modulo 13 of each of the following integers, 

a) 2 b) 3 c) 5 d) 11 

9. Find an inverse modulo 17 of each of the following integers. 

a) 4 b) 5 c) 7 d) 16 

10 . a) Determine which integers a, where 1 < a < 14, have an inverse modulo 14. 

b) Find the inverse of each of the integers from part (a) that have an inverse modulo 14. 

11 . a) Determine which integers a, where 1 < a < 30, have an inverse modulo 30. 

b) Find the inverse of each of the integers from part (a) that have an inverse modulo 30. 

12 . Show that if a is an inverse of a modulo m and b is an inverse of b modulo m, then a b is an 
inverse of ab modulo m. 

13 . Show that the linear congruence in two variables ax + by = c (mod m), where a,b,c, and 
m are integers, m > 0, with d = (a, b, m), has exactly dm incongruent solutions if d \ c, and 
no solutions otherwise. 

14 . Find all solutions of each of the following linear congruences in two variables. 

a) 2x + 3y = 1 (mod 7) c) 6x + 3y = 0 (mod 9) 

b) 2x + 4y = 6 (mod 8) d) l(k + 5y = 9 (mod 15) 

15 . Let p be an odd prime and k a positive integer. Show that the congruence x 2 = 1 (mod p k ) 
has exactly two incongruent solutions, namely, x = ±1 (mod p k ). 

16 . Show that the congruence x 2 = 1 (mod 2 k ) has exactly four incongruent solutions, namely, 
x = ±1 or ±(1 + 2 k ~ l ) (mod 2 k ), when k > 2. Show that when k = 1 there is one solution 
and that when k = 2 there are two incongruent solutions. 

17 . Show that if a and m are relatively prime positive integers such that a <m, then an inverse 
of a modulo m can be found using 0(log 3 m) bit operations. 

18 . Show that if p is an odd prime and a is a positive integer not divisible by p , then the congruence 
x 2 = a (mod p) has either no solution or exactly two incongruent solutions. 

Computations and Explorations 

1. Find the solutions of 123,456,789* = 9,876,543,210 (mod 10,000,000,001). 

2 . Find the solutions of 333,333,333* = 87,543,211,376 (mod 967,454,302,211). 

3 . Find the inverses of 734,342; 499,999; and 1,000,001 modulo 1,533,331. 

Programming Projects 

1. Solve linear congruences using the method given in the text. 

2. Solve linear congruences using the method given in Exercise 4. 
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3. Given an integer a relatively prime to a positive integer m> 2, find the inverse of a 
modulo m. 

4. Solve linear congruences using inverses. 

5. Solve linear congruences in two variables. 


4.3 The Chinese Remainder Theorem 

In this and in the following section, we discuss systems of simultaneous congruences. 
We will study two types of such systems: In the first type, there are two or more linear 
congruences in one variable, with different moduli. The second type consists of more 
than one simultaneous congruence in more than one variable, where all congruences 
have the same modulus. 

First, we consider systems of congruences that involve only one unknown, but 
different moduli. Such systems arose in ancient Chinese puzzles such as the following 
problem, which appears in Master Sun’s Mathematical Manual, written late in the third 
century c.E. Find a number that leaves a remainder of 1 when divided by 3, a remainder 
of 2 when divided by 5, and a remainder of 3 when divided by 7. This puzzle leads to 
the following system of congruences: 

x = 1 (mod 3), x = 2 (mod 5), x = 3 (mod 7). 

Problems involving systems of congruences occur in the writings of the Greek 
mathematician Nicomachus in the first century. They also can be found in the works of 
Brahmagupta in India in the seventh century. However, it was not until the year 1247 that 
a general method for solving systems of linear congruences was published by Ch ’in Chiu- 
Shao in his Mathematical Treatise in Nine Sections. We now present the main theorem 
concerning the solution of systems of linear congruences in one unknown. This theorem 
is called the Chinese remainder theorem, most likely because of the contributions of 
Chinese mathematicians such as Ch’in Chiu-Shao to its solution. (For more information 
about the history of the Chinese remainder theorem, consult [Ne69], [LiDu87], [Li73], 
and [Ka98].) 

Theorem 4.13. The Chinese Remainder Theorem. Let m i, m 2 , . . . , m r be pairwise 
relatively prime positive integers. Then the system of congruences 

x =ai (mod m i) 
x =a2 (mod m 2 ) 


x =a r (mod m r ) 

has a unique solution modulo M = m\m2 . . . m r . 

Proof. First, we construct a simultaneous solution to the system of congruences. To 
do this, let M k = M/m k = m^2 • • • mk-\ m k+\ ' ‘ ' m r- We know that (M k , m k ) = 1 by 
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Exercise 14 of Section 3.3, because ( rrij , m k ) = 1 whenever j ^ k. Hence, by Theorem 
4.1 1 we can find an inverse y k of M k modulo m k , so that M k y k = 1 (mod m k ). We now 
form the sum 


x — aiMyyi + a 2 M 2 y 2 + • • • + a r M r y r . 


The integer x is a simultaneous solution of the r congruences. To demonstrate this, 
we must show that x = a k (mod m k ) for k=l,2, . . . , r. Because m k \ Mj whenever 
j k, we have Mj = 0 (mod m k ). Therefore, in the sum for x, all terms except the 
£th term are congruent to 0 (mod m k ). Hence, x = a k M k y k = a k (mod m k ), because 
M k y k = 1 (mod m k ). We now show that any two solutions are congruent modulo M. 
Let x 0 and Xj both be simultaneous solutions to the system of r congruences. Then, for 
each k, x 0 = xi = a k (mod m k ), so that m k | (x 0 — xj). Using Theorem 4.9, we see that 
M | (x 0 — xj). Therefore, x 0 = Xj (mod M). This shows that the simultaneous solution 
of the system of r congruences is unique modulo M. ■ 

We illustrate the use of the Chinese remainder theorem by solving the system that 
arises from the ancient Chinese puzzle. 

Example 4.16. To solve the system 

x = 1 (mod 3) 
x = 2 (mod 5) 
x = 3 (mod 7), 

we have M = 3-5-1= 105, M x = 105/3 = 35, M 2 = 105/5 = 21, and M 3 = 105/7 = 
15. To determine y ls we solve 35)q = 1 (mod 3), or equivalently, 2y x = 1 (mod 3). 


CH’IN CHIU-SHAO (1202-1261) was bom in the Chinese province of Sichuan. He 
studied astronomy at Hangzhou, the capital of the Song dynasty. He spent ten years in 
dangerous and difficult conditions at the frontier, where battles with the Mongols under 
Genghis Khan were under way. He wrote that he was instructed in mathematics by a “recluse 
scholar.” During his time at the frontier, he investigated mathematical problems. He selected 
81 of these, divided them into nine classes, and described them in his book Mathematical 
Treatise in Nine Sections. This book covers systems of linear congruences, the Chinese 
remainder theorem, algebraic equations, areas of geometrical figures, systems of linear 
equations, and other topics. 

Ch’in Chiu-Shao was considered to be a mathematical genius and was talented in 
architecture, music, and poetry, as well as in many sports, including archery, fencing, and 
horsemanship. He held several different positions in government, but was relieved of his 
duties many times because of corruption. He was considered to be extravagant, boastful, and 
obsessed with his own advancement. He managed to amass great wealth and through deceit 
had an immense house constructed at a magnificent site. The back of this house contained 
a series of rooms for lodging female musicians and singers. Ch’in Chiu-Shao developed a 
notorious reputation in love affairs. 
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This yields y\ = 2 (mod 3). We find y 2 by solving 21y 2 = 1 (mod 5); this immedi- 
ately gives y 2 = 1 (mod 5). Finally, we find y 3 by solving 15y 3 = 1 (mod 7). This gives 
y 3 = 1 (mod 7). Hence, 

x = 1 ■ 35 ■ 2 + 2 ■ 21 ■ 1 + 3 ■ 15 ■ 1 
= 157 = 52 (mod 105). 

We can check that x satisfies this system of congruences whenever x = 52 (mod 105) 
by noting that 52 = 1 (mod 3), 52 = 2 (mod 5), and 52 = 3 (mod 7). ◄ 

There is also an iterative method for solving simultaneous systems of congruences. 
We illustrate this method with an example. 

Example 4.17. Suppose we wish to solve the system 
x = 1 (mod 5) 
x = 2 (mod 6) 
x = 3 (mod 7). 

We use Theorem 4.1 to rewrite the first congruence as an equality, namely, x = 5t + 1, 
where t is an integer. Inserting this expression for x into the second congruence, we find 
that 


5t + 1 = 2 (mod 6), 

which can easily be solved to show that t = 5 (mod 6). Using Theorem 4.1 again, we 
write t = 6m + 5, where u is an integer. Hence, jc = 5(6 u + 5) + 1 = 30m + 26. When 
we insert this expression for x into the third congruence, we obtain 

30m + 26 = 3 (mod 7). 

When this congruence is solved, we find that u = 6 (mod 7). Consequently, Theorem 4.1 
tells us that u = Iv + 6, where v is an integer. Hence, 

x = 30(7v + 6) + 26 = 210i> + 206. 

Translating this equality into a congruence, we find that 
x = 206 (mod 210), 

and this is the simultaneous solution. ◄ 

Note that the method we have just illustrated shows that a system of simultaneous 
questions can be solved by successively solving linear congruences. This can be done 
even when the moduli of the congruences are not relatively prime as long as congruences 
are consistent (see Exercises 15-20 at the end of this section). 

Computer Arithmetic Using the Chinese Remainder Theorem The Chinese re- 
mainder theorem provides a way to perform computer arithmetic with large integers. 
To store very large integers and do arithmetic with them requires special techniques. 
The Chinese remainder theorem tells us that given pairwise relatively prime moduli m h 
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m 2 , . . . , m r , a positive integer n such that n < M = m\m 2 ■ ■ ■ m r is uniquely deter- 
mined by its least positive residues modulo rtij for j = 1, 2, . . . , r. Suppose that the 
word size of a computer is only 100, but that we wish to do arithmetic with integers as 
large as 10 6 . First, we find pairwise relatively prime integers less than 100 with a product 
exceeding 10 6 ; for instance, we can take m x = 99, m 2 = 98, m 3 = 97, and m 4 = 95. We 
convert integers less than 10 6 into 4-tuples consisting of their least positive residues mod- 
ulo m 1 ,m 2 , m 3 , and m 4 . (To convert integers as large as 10 6 into their list of least positive 
residues, we need to work with large integers using multiprecision techniques. However, 
this is done only once for each integer in the input and once for the output.) Then, for 
instance, to add integers, we simply add their respective least positive residues modulo 
m h m 2 , m 3 , and m 4 , making use of the fact that if x = x x (mod m f ) and y = y,- (mod m,), 
then x + y = x t + y,- (mod m, ). We then use the Chinese remainder theorem to convert 
the set of four least positive residues for the sum back to an integer. 

The following example illustrates this technique. 

Example 4.18. We wish to add x = 123,684 and y = 413,456 on a computer of word 
size 100. We have 

x = 33 (mod 99) y = 32 (mod 99) 
x = 8 (mod 98) y = 92 (mod 98) 
x= 9 (mod 97) y = 42 (mod 97) 
x = 89 (mod 95) y = 16 (mod 95) 

so that 

x + y = 65 (mod 99) 
x + y = 2 (mod 98) 
x + y = 51 (mod 97) 
x + y = 10 (mod 95). 

We now use the Chinese remainder theorem to find x + y modulo 99 • 98 • 97 • 95. 

We have M = 99 • 98 • 97 • 95 = 89,403,930, M x = M/99 = 903,070, M 2 = M/ 98 = 

912,285, M 3 = M/91 = 921,690, and M 4 = M/95 = 941,094. We need to find the 
inverse of M { (mod y, ) for i = 1, 2, 3, 4. To do this, we solve the following congruences 
(using the Euclidean algorithm): 

903,070yj = 91y x = 1 (mod 99) 

912,285y 2 = 3y 2 =l(mod98) 

921,690y 3 = 93y 3 = 1 (mod 97) 

941,094y 4 = 24y 4 = 1 (mod 95). 

We find that y! = 37 (mod 99), y 2 = 35 (mod 98), y 3 = 24 (mod 97), and y 4 = 4 
(mod 95). Hence, 

x + y = 65 - 903,070 • 37 + 2 • 912,285 • 33 + 51 • 921,690 • 24 + 10 • 941,094 • 4 
= 3,397,886,480 
= 537,140 (mod 89,403,930). 
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Because 0 < x + y < 89,403,930, we conclude that x + y = 537,140. ◄ 

On most computers, the word size is a large power of 2, with 2 35 a common value. 
Hence, to use modular arithmetic and the Chinese remainder theorem to do computer 
arithmetic, we need integers less than 2 35 that are pairwise relatively prime and that 
multiply together to give a large integer. To find such integers, we use numbers of the 
form 2 m — 1, where m is a positive integer. Computer arithmetic with these numbers 
turns out to be relatively simple (see [Kn97]). To produce a set of pairwise relatively 
prime numbers of this form, we first prove two lemmas. 

Lemma 4.2. If a and b are positive integers, then the least positive residue of 2° — 1 
modulo 2 b — 1 is 2 r — 1, where r is the least positive residue of a modulo b. 

Proof. From the division algorithm, a = bq + r, where r is the least positive residue 
of ci modulo b. We have 2 a - 1 = 2 b « +r -l=(2 b - l)(2 b ^ +r + • • • + 2 b+r + 2 r ) + 
(2 r — 1), which shows that the remainder when 2 a — 1 is divided by 2 b — 1 is 2 r — 1; this 
is the least positive residue of 2 a — 1 modulo 2 b — 1. ■ 

We use Lemma 4.2 to prove the following result. 

Lemma 4.3. If a and b are positive integers, then the greatest common divisor of 2 a — 1 
and 2 b — 1 is 2^ b) - 1. 


Proof. Without loss of generality, we assume that a>b. When we perform the Eu- 
clidean algorithm with a = r 0 and b = r h we obtain 

r 0 = r x q x + r 2 0 < r 2 < r x 

r \ = r 2*72 + r 3 0 <r 3 <r 2 

r n -3 = r n _ 2 q n _ 2 + r n _ x 0 < r n _ x < r n _ 2 

r n - 2 = r n _ x q n _ h 

where the last remainder, r n _ h is the greatest common divisor of a and b. 

Now, we apply the Euclidean algorithm a second time to the pair R 0 = 2 a — 1 and 
R x = 2 b — 1, applying Lemma 4.2 to obtain the remainder at each step: 

R 0 =RiQi + R 2 R 2 = 2I 2 — 1 

^1 = R 2 Q 2 + ^3 R 3 = 2 r3 — 1 

Rn—3 = Rn- 2 Qn- 2 + R n - 1 ^n-1 = 2 r "- 1 - 1 

Rn—2 = Rn-lQn-1- 

Here, the last nonzero remainder, R n _ x = 2 r "~ 1 - 1 = 2 (a ’ b ^ - 1, is the greatest common 
divisor of R 0 and R x . m 

Using Lemma 4.3, we have the following theorem. 
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Theorem 4.14. The positive integers 2 a - 1 and 2 b — 1 are relatively prime if and only 
if a and b are relatively prime. 

We can now use Theorem 4. 14 to produce a set of pairwise relatively prime integers, 
each of which is less than 2 35 , with product greater than a specified integer. Suppose 
that we wish to do arithmetic with integers as large as 2 184 . We pick m 1 = 2 35 — 1, 
m 2 = 2 34 — 1, m 3 = 2 33 — 1 , m 4 = 2 31 — 1, m 5 = 2 29 — 1, and mg = 2 23 — 1. Because the 
exponents of 2 in the expressions for the nij are pairwise relatively prime, by Theorem 
4.13 the nij are pairwise relatively prime. Also, we have M = m 1 m 2 m 3 m 4 m 5 mg > 2 184 . 
We can now use modular arithmetic and the Chinese remainder theorem to perform 
arithmetic with integers as large as 2 184 . 

Although it is somewhat awkward to do computer operations with large integers 
using modular arithmetic and the Chinese remainder theorem, there are some definite 
advantages to this approach. First, on many high-speed computers, operations can be 
performed simultaneously. So, reducing an operation involving two large integers to 
a set of operations involving smaller integers, namely, the least positive residues of the 
large integers with respect to the various moduli, leads to simultaneous computations that 
may be performed more rapidly than one operation with large integers, especially when 
parallel processing is used. Second, even without taking into account the advantages of 
simultaneous computations, multiplication of large integers may be done faster using 
these ideas than with many other multiprecision methods. The interested reader should 
consult Knuth [Kn97]. 


Exercises 


1. Which integers leave a remainder of 1 when divided by both 2 and 3? 


2. Find an integer that leaves a remainder of 1 when divided by either 2 or 5, but that is divisible 
by 3. 

3. Find an integer that leaves a remainder of 2 when divided by either 3 or 5, but that is divisible 
by 4. 


4. Find all the solutions of each of the following systems of linear congruences. 


a) jc = 4 (mod 1 1) 
jc = 3 (mod 17) 

b) jc = 1 (mod 2 ) 
x = 2 (mod 3) 
jc = 3 (mod 5) 


c) x = 0 (mod 2 ) 
jc = 0 (mod 3) 
jc = 1 (mod 5) 
jc = 6 (mod 7) 


d) jc = 2 (mod 1 1 ) 
jc = 3 (mod 12) 
jc =4 (mod 13) 
jc = 5 (mod 17) 
jc = 6 (mod 19) 


5. Find all the solutions to the system of linear congruences jc = 1 (mod 2), jc = 2 (mod 3), 
jc = 3 (mod 5), jc = 4 (mod 7), and jc = 5 (mod 1 1). 

6 . Find all the solutions to the system of linear congruences jc = 1 (mod 999), jc = 2 (mod 1001), 
jc = 3 (mod 1003), jc = 4 (mod 1004), and jc = 5 (mod 1007). 
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7 . A troop of 17 monkeys store their bananas in 11 piles of equal size, each containing more 
than 1 banana, with a twelfth pile of 6 left over. When they divide the bananas into 17 equal 
groups, none remain. What is the smallest number of bananas they can have? 

8. As an odometer check, a special counter measures the miles a car travels modulo 7. Explain 
how this counter can be used to determine whether the car has been driven 49,335; 149,335; 
or 249,335 miles when the odometer reads 49,335 and works modulo 100,000. 

9. Chinese generals counted troops remaining after a battle by lining them up in rows of 
different lengths, counting the number left over each time, and calculating the total from 
these remainders. If a general had 1200 troops at the start of a battle and if there were 3 left 
over when they lined up 5 at a time, 3 left over when they lined up 6 at a time, 1 left over 
when they lined up 7 at a time, and none left over when they lined up 1 1 at a time, how many 
troops remained after the battle? 

10 . Find an integer that leaves a remainder of 9 when it is divided by either 10 or 1 1 , but that is 
divisible by 13. 

11 . Find a multiple of 1 1 that leaves a remainder of 1 when divided by each of the integers 2, 3, 5, 
and 7. 

12 . Solve the following ancient Indian problem: If eggs are removed from a basket 2, 3, 4, 5, and 
6 at a time, there remain, respectively, 1, 2, 3, 4, and 5 eggs. But if the eggs are removed 7 at 
a time, no eggs remain. What is the least number of eggs that could have been in the basket? 

13 . Show that there are arbitrarily long strings of consecutive integers each divisible by a perfect 
square greater than 1. (Hint: Use the Chinese remainder theorem to show that there is a 
simultaneous solution to the system of congruences x = 0 (mod 4), jc = — 1 (mod 9), jc = —2 
(mod 25), . . . , x = —k + 1 (mod pf), where p k is the kth prime.) 

* 14 . Show that if a, b, and c are integers such that (a, b) = 1, then there is an integer n such that 
(an + b, c)= 1. 

In Exercises 1 5-1 8, we will consider systems of congruences where the moduli of the congruences 

are not necessarily relatively prime. 

15 . Show that the system of congruences 


x = a\ (mod mj) 
x = a 2 (mod m 2 ) 

has a solution if and only if (m h m 2 ) | (fli - a 2 ). Show that when there is a solution, it is 
unique modulo [m h m 2 ]. (Hint: Write the first congruence as jc = a 1 + km h where k is an 
integer, and then insert this expression for x into the second congruence.) 

16 . Using Exercise 15, solve each of the following simultaneous systems of congruences, 

a) jc = 4 (mod 6) b) jc=7(modl0) 

jc = 13 (mod 15) jc = 4 (mod 15) 

17 . Using Exercise 15, solve each of the following simultaneous systems of congruences, 
a) jc = 10 (mod 60) b) jc = 2 (mod 910) 

jc = 80 (mod 350) jc =93 (mod 1001) 

18 . Does the system of congruences jc = 1 (mod 8), jc = 3(mod 9), and jc = 2 (mod 12) have any 
simultaneous solutions? 
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What happens when the moduli in a simultaneous system of more than two congruences in one 
unknown are not pairwise relatively prime (such as in Exercise 18)? The following exercise 
provides compatibility conditions for there to be a unique solution of such a system, modulo 
the least common multiple of the moduli. 

19. Show that the system of congruences 

x =a\ (mod/nx) 
x =a 2 (mod m 2 ) 


x =a r (mod m r ) 

has a solution if and only if (m h mj) \ (a, - aj ) for all pairs of integers (i, j ), where 
1 <i< j <r. Show that if a solution exists, then it is unique modulo [m h m 2 , . . . , m r ], 
(Hint: Use Exercise 15 and mathematical induction.) 

20. Using Exercise 19, solve each of the following systems of congruences. 


a) jce 


b) x E 


5 (mod 6) 

3 (mod 10) 

8 (mod 15) 

2 (mod 14) 
16 (mod 21) 
10 (mod 30) 


c) x = 2 (mod 9) 
x = 8 (mod 15) 
x = 10 (mod 25) 

d) jc = 2 (mod 6) 
x = 4 (mod 8) 
x = 2 (mod 14) 
jc = 14 (mod 15) 


e) jc 


7 (mod 9) 
jc = 2 (mod 10) 
jc = 3 (mod 12) 
jc = 6 (mod 15) 


21. What is the smallest number of lobsters in a tank if 1 lobster is left over when they are removed 
2, 3, 5, or 7 at a time, but no lobsters are left over when they are removed 11 at a time? 

22. An ancient Chinese problem asks for the least number of gold coins a band of 17 pirates 
could have stolen. The problem states that when the pirates divided the coins into equal piles, 
3 coins were left over. When they fought over who should get the extra coins, one of the 
pirates was slain. When the remaining pirates divided the coins into equal piles, 10 coins 
were left over. When the pirates fought again over who should get the extra coins, another 
pirate was slain. When they divided the coins in equal piles again, no coins were left over. 
What is the answer to this problem? 

23. Solve the following problem originally posed by Ch’in Chiu-Shao (using different weight 
units). Three farmers equally divide a quantity of rice with a weight that is an integral number 
of pounds. The farmers each sell their rice, selling as much as possible, at three different 
markets where the markets use weights of 83 pounds, 110 pounds, and 1 35 pounds, and only 
buy rice in multiples of these weights. What is the least amount of rice the farmers could have 
divided if the farmers return home with 32 pounds, 70 pounds, and 30 pounds, respectively? 

24. Using the Chinese remainder theorem, explain how to add and how to multiply 784 and 813 
on a computer of word size 100. 


An integer jc > 2 with n base b digits is called an automorph to the base b if the last n base b 
digits of jc 2 are the same as those of jc. 

* 25. Find the base 10 automorphs with four digits (with initial zeros allowed). 

* 26. How many base b automorphs are there with n or fewer base b digits if b has prime-power 

factorization b = p\'p 2 2 ■ • ■ p* k 7 



170 Congruences 

According to the theory of biorhythms, there are three cycles in your life that start the day you are 
bom. These are the physical, emotional, and intellectual cycles, of lengths 23, 28, and 33 days, 
respectively. Each cycle follows a sine curve with period equal to the length of that cycle, starting 
with value 0, climbing to value 1 one-quarter of the way through the cycle, dropping back to value 
0 one-half of the way through the cycle, dropping further to value — 1 three-quarters of the way 
through the cycle, and climbing back to value 0 at the end of the cycle. 

Answer Exercises 27-29 about biorhythms, measuring time in quarter days (so that the units will 
be integers). 

27. For which days of your life will you be at a triple peak, where all of your three cycles are at 
maximum values? 

28. For which days of your life will you be at a triple nadir, where all three of your cycles have 
minimum values? 

29. When in your life will all three cycles be at a neutral position (value 0)? 

A set of congruences to distinct moduli greater than 1 that has the property that every integer 
satisfies at least one of the congruences is called a covering set of congruences. 

30. Show that the set of congruences x = 0 (mod 2), x = 0 (mod 3), x = 1 (mod 4), x = 1 
(mod 6), and x = 1 1 (mod 12) is a covering set of congruences. 

>- 31. Show that the system of congruence x = 1 (mod 2), x = 2 (mod 4), x = 1 (mod 3), x = 
8 (mod 12), x = 4 (mod 8), and x = 0 (mod 24) is a covering set of congruences. 

32. Show that the system of congruence x = 1 (mod 2), jc = 0 (mod 4), x = 0 (mod 3), x = 
2 (mod 12), x = 2 (mod 8), and jc = 22 (mod 24) is a covering set of congruences. 

33. Show that thes etof congruences x =0 (mod 2),x = 0(mod3),x =0 (mod 5),jc =0 (mod 7), 
x = 1 (mod 6), x = 1 (mod 10), x = 1 (mod 14), x = 2 (mod 15), x = 2 (mod 21), jc = 
23 (mod 30), jc = 4 (mod 35), jc = 5 (mod 42), jc =59 (mod 70), and jc = 104 (mod 105) 
is a covering set of congruences. 

* 34. Let m be a positive integer with prime-power factorization m = 2 a ° p^p^ 2 • • • p“ r . Show that 

the congruence jc 2 = 1 (mod m) has exactly 2 r+e solutions, where e = 0 if a 0 = 0 or 1, e = 1 
if a 0 = 2, and e = 2 if a 0 > 2. (Hint: Use Exercises 15 and 16 of Section 4.2.) 

35. The three children in a family have feet that are 5 inches, 7 inches, and 9 inches long. When 
they measure the length of the dining room of their house using their feet, they each find that 
there are 3 inches left over. How long is the dining room? 

36. Find all solutions of the congruence x 2 + 6x — 31 = 0 (mod 72). (Hint: First note that 72 = 
2 3 3 2 . Find, by trial and error, the solutions of this congruence modulo 8 and modulo 9. Then 
apply the Chinese remainder theorem.) 

37. Find all solutions of the congruence x 2 + 18x - 823 = 0 (mod 1800). (Hint: First note that 
1800 = 2 3 3 2 5 2 . Find, by trial and error, the solutions of this congruence modulo 8, modulo 
9, and modulo 25. Then apply the Chinese remainder theorem.) 

* 38. Given a positive integer R, a prime p that is the only prime between p — R and p + R, 

including the end points, is called R-reclusive. Show that for every positive integer R, there 
are infinitely many R -reclusive primes. (Hint: Use the Chinese remainder theorem to find an 
integer x such that x — j is divisible by pj and x + j is divisible by Pr+j, where p k is the 
fcth prime. Then invoke Dirichlet’s theorem on primes in arithmetic progressions.) 
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Computations and Explorations 

1. Solve the simultaneous system of congruences jc = 1 (mod 12,341,234,567), jc = 2 (mod 
750,000,057), and jc = 3 (mod 1,099,511,627,776). 

2. Solve the simultaneous system of congruences jc = 5269 (mod 40,320), jc = 1248 (mod 
11,111), jc = 16,645 (mod 30,003), and jc =2911 (mod 12,321). 

3. Using Exercise 13 of this section, find a string of 100 consecutive positive integers each 
divisible by a perfect square. Can you find such a set of smaller integers? 

4. Find a covering set of congruences (as described in the preamble to Exercise 30) where the 
smallest modulus of one of the congruences in the covering set is 3, where the smallest 
modulus of one of the congruences in the covering set is 6, and where the smallest modulus 
of one of the congruences in the covering set is 8. 


Programming Projects 

1. Solve systems of linear congruences of the type found in the Chinese remainder theorem. 

2. Solve systems of linear congruences of the type given in Exercises 15-20. 

3. Add large integers exceeding the word size of a computer using the Chinese remainder 
theorem. 

4. Multiply large integers exceeding the word size of a computer using the Chinese remainder 
theorem. 

5. Given a positive integer b > 1, find automorphs to the base b than 1 (see the preamble to 
Exercise 25). 

6. Plot biorhythm charts and find triple peaks and triple nadirs (see the preamble to Exercise 
27). 


4.4 Solving Polynomial Congruences 

This section provides a useful tool that can be used to help find solutions of congruences 
of the form fix) = 0 (mod m), where /(jc) is a polynomial of degree greater than 1 with 
integer coefficients. An example of such a congmence is 2jc 3 + 7jc - 4 = 0 (mod 200). 

We first note that if m has prime-power factorization m = p^pf 1 • • ■ p°^, then 
solving the congruence fix ) = 0 (mod m) is equivalent to finding the simultaneous 
solutions to the system of congruences 

fix) = 0 (mod pf), i = 1, 2, . . . , k. 

Once the solutions of each of the k congruences modulo p a f are known, the solutions 
of the congruence modulo m can be found by the Chinese remainder theorem. This is 
illustrated in the following example. 
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Example 4.19. Solving the congruence 

2x 3 + lx -4 = 0 (mod 200) 
reduces to finding the solutions of 

lx 3 + lx - 4 = 0 (mod 8) 


and 


2x 3 + lx — 4 = 0 (mod 25), 

because 200 = 2 3 5 2 . The solutions of the congruence modulo 8 are all integers x = 
4 (mod 8) (for x to be a solution x must be even; the cases where x is odd can be quickly 
checked). In Example 4.20, we will see that the solutions modulo 25 are all integers 
x = 16 (mod 25). When we use the Chinese remainder theorem to solve the simultaneous 
congruences x = 4 (mod 8) and x = 16 (mod 25), we find that the solutions are all 
x = 1 16 (mod 200) (as the reader should verify). These are solutions of 2x 3 + 7x —4 = 
0 (mod 200). ◄ 

We will see that there is a relatively simple way to solve polynomial congruences 
modulo p k , once all solutions modulo p are known. We will show that solutions modulo 
p can be used to find solutions modulo p 2 , solutions modulo p 2 can be used to find 
solutions modulo p 3 , and so on. Before introducing the general method, we present an 
example illustrating the basic idea used to find solutions of a polynomial congruence 
modulo p 2 from those modulo p. 

Example 4.20. The solutions of 

lx 3 + lx — 4 = 0 (mod 5) 

are the integers with x = 1 (mod 5), as can be seen by testing x = 0, 1, 2, 3, and 4. 
How can we find the solutions modulo 25? We could check all 25 different values x = 
0, 1, 2, . . . , 24. However, there is a more systematic method. Because any solution of 

lx 3 + lx — 4 = 0 (mod 25) 

is also a solution modulo 5, and all solutions modulo 5 satisfy x = 1 (mod 5), it follows 
that x = 1 + 5t, where t is an integer. We can solve for t by substituting 1 + 5t for x. We 
obtain 


2(1 + 5r) 3 + 7(1 + 50 - 4 = 0 (mod 25). 
Simplifying, we obtain a linear congruence for t, namely, 

65r + 5 = 15f + 5 = 0 (mod 25). 

By Theorem 4.5, we can eliminate a factor of 5, so that 
3t + 1 = 0 (mod 5). 
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The solutions of this congruence are t = 3 (mod 5). This means that the solutions modulo 
25 are those x for which jc = 1 + 5f = 1 + 5- 3=16 (mod 25). The reader should verify 
that these are indeed solutions. ◄ 

We will now introduce a general method that will help us find the solutions of 
congruences modulo prime powers. In particular, we will show how the solutions of 
the congruence f(x ) = 0 (mod p k ), where p is prime and k is a positive integer with 
k > 2, can be found from those of the congruence fix) = 0 (mod p k ~ l ). The solutions 
of the congruence modulo p k are said to be lifted from those modulo p k ~ l . The theorem 
uses fix), the derivative of /. However, we will not need results from calculus. Instead, 
we can define the derivative of a polynomial directly and describe the properties that we 
will need. 

Definition. Let fix) = a n x n + a n _ l x n ~ l -| b + a 0 , where a t is a real number 

for i = 0, 1, 2, . . . , n. The derivative of fix), denoted by fix), equals na n x n ~ l + 
in - +a h 

Starting with a polynomial, we can find its derivative and then find the derivative of 
its derivative, and so on. We can define the kfh derivative of a polynomial fix), denoted 
by f k \x), as the derivative of the (fc — l)st derivative, that is, f^ k \x) = if^ k ~^)'ix). 

We will find the following two lemmas helpful. We leave their proofs to the reader. 

Lemma 4.4. If fix) and gix) are polynomials and c is a constant, then (/ + g)'ix) = 
fix) + g'ix) and (c/)'(x) = cifix)). Furthermore, if k is a positive integer, then 
(/ + «)<*>(*) = /«>(*) + *<»>(*) and (£/)<*>(*) = c(/<*>(*)). 

Lemma 4.5. If m and k are positive integers and fix) = x m , then f^ k \x) = m(m — 
1) • • • (m - k + l)x m ~ k . 


We can now state the result that can be used to lift solutions of polynomial con- 
gruences. It is called Hensel ’s lemma after the German mathematician Kurt Hensel, who 
discovered it in work leading to the invention of the field of mathematics known as p-adic 
analysis. 

Theorem 4.15. Hensel’s Lemma. Suppose that fix) is a polynomial with integer 
coefficients k is an integer with k> 2, and p is a prime. Suppose further that r is a 
solution of the congruence fix) = 0 (mod p kl ). Then, 

(i) if fir) ^ 0 (mod p), then there is a unique integer t, 0 < t < p, such that 
fir + tp k ~ l ) = 0 (mod p k ), given by 

t = -fir)ifir)/p k ~ l ) (mod p), 
where fir) is an inverse of fir) modulo p\ 

(ii) if fir) = 0 (mod p) and fir) = 0 (mod p k ), then fir + tp k ~ l ) = 0 (mod p k ) 
for all integers f. 
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(iii) if f'(r) = 0 (mod p) and /(r) ^ 0 (mod p k ), then /(x) = 0 (mod p k ) has no 
solutions with x = r (mod p* _1 ). 

In case (i), we see that a solution to /(x) = 0 (mod p k_1 ) lifts to a unique solution of 
/ (x) = 0 (mod p k ), and in cases (ii) and (iii), such a solution either lifts to p incongruent 
solutions modulo p k or to none at all. ■ 

We defer the proof of Theorem 4.15 until we have established the following lemma 
about Taylor expansions. 

Lemma 4.6, If /(x) is a polynomial of degree n and a and b are real numbers, then 

f{a + b) = /(a) + f\a)b + f"(a)b 2 / 2! + • • • + / (n) (a)fc"M 

where for every given value of a the coefficients (namely, 1, /'(a), /"(a)/2!, . . . , 
/ w (a)/n!) are polynomials in a with integer coefficients. 

Proof. Every polynomial / of degree n is the sum of multiples of the functions x m , 
where m <n. Furthermore, by Lemma 4.4, we need only establish Lemma 4.6 for the 
polynomials / m (x) = x m , where m is a positive integer. 

By the binomial theorem, we have 

(a 4- b) m — ^ ( n *\a m - J bi . 
j = o ' 

By Lemma 4.5, we know that (a) = m{m - 1) • • • (m - j + V)a m ~K Hence, 

Because (”) is an integer for all integers m and j such that 0 < j < m, the coefficients 
are integers. This completes the proof. ■ 


KURT HENSEL (1861-1941) was bom in Konigsberg, Prussia (now Kalin- 
ingrad, Russia). He studied mathematics in Berlin, and later in Bonn, under 
many leading mathematicians, including Kronecher and Weierstrass. Much of 
his work involved the development of arithmetic in algebraic number fields. 
Hensel is best known for inventing the p-adic numbers in 1902, in work on rep- 
resentations of algebraic numbers in terms of power series. The p-adic numbers 
can be thought of as a completion of the set of rational numbers that is different 
from the usual completion that produces the set of real numbers. Hensel was 
able to use the p-adic numbers to prove many results in number theory, and these numbers have had a 
major impact on the development of algebraic number theory. Hensel served as a professor at the Uni- 
versity of Marburg until 1930. He was the editor for many years of the famous mathematical journal 
known as Crelle’s Journal, whose official name is Journal fur die reine und angewandte Mathematik. 
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Now that we have all the ingredients needed to prove Hensel’s lemma, we embark 
on its proof. 

Proof. If r is a solution of fir) = 0 (mod p k ), then it is also a solution of fir) = 
0 (mod p k ~ l ). Hence, it equals r + tp k ~ x for some integer t. The proof follows once we 
have determined the conditions on t. 

By Lemma 4.6, it follows that 

nr + tp k ~ ■) = /(r) + f\r)tp k tp M 2 + • • • + ^p-(tp k ~ l )\ 

2! n! 

where f^ k \r)/k\ is an integer for k = 1, 2, . . . , n. Given that k > 2, it follows that 
k < m(k — 1) and p k \ for 2 < m < n. Hence, 

f{r + tp h ~ l ) = fir) + f'ir)tp k ~ l (mod p k ). 

Because r + tp k ~ x is a solution of /(r + tp k ~ x ) = 0 (mod p k ), it follows that 
f'ir)tp k ~ x = -fir) (mod p k ). 

Furthermore, we can divide this congruence by p k ~ x , because fir) = 0 (mod p k ~ l ). 
When we do so and rearrange terms, we obtain a linear congruence in t, namely, 

f\r)t = -fir)/p k ~ x (mod p). 

By examining its solutions modulo p, we can prove the three cases of the theorem. 

Suppose that fir) ^ 0 (mod p). It follows that (/'(r), p) = 1. Applying Corollary 
4.1 1.1, we see that the congruence for t has a unique solution, 

t = i~fir)/p k ~ l )fir) (mod p), 

where /'(r) is an inverse of fir) modulo p. This establishes case (i). 

When fir) = 0 (mod p), we have (/'(/*), p) = p. By Theorem 4.11, if p \ (/(r)/ 
p k ~ l ), which holds if and only if fir) = 0 (mod p k ), then all values t are solutions. This 
means that x = r + tp k ~ x is a solution for* = 0, 1, . . . , p — 1. This establishes case (ii). 

Finally, consider the case when fir) = 0 (mod p), but p / if ir)/ p k ~ l ). We have 
if'ir ), p) = p and fir) ^0 (mod p k )\ so, by Theorem 4. 11, no values of tare solutions. 
This completes case (iii). ■ 

The following corollary shows that we can repeatedly lift solutions, starting with a 
solution modulo p, when case (i) of Hensel’s lemma applies. 

Corollary 4.15.1. Suppose that r is a solution of the polynomial congruence fix) = 
0 (mod p), where p is a prime. If fir) ^ 0 (mod p), then there is a unique solution r k 
modulo p k , k = 2, 3, . . ., such that ^ = r and 

r k = r k - 1 - f(r k -i)fir), 


where fir) is an inverse of fir) modulo p. 
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Proof. Using the hypotheses, we see by Hensel’s lemma that r lifts to a unique solution 
r 2 modulo p 2 with r 2 = r + tp, where t = —f'(r)(f(r)/p). Hence, 

r 2 = r- fir) f{r). 

Because r 2 = r (mod p), it follows that f'(r 2 ) = f{r) ^ 0 (mod p). Using Hensel’s 
lemma again, we see that there is a unique solution r 3 modulo p 3 , which can be shown 
to be r 3 = r 2 — f(r 2 )f'(r). If we continue in this way, we find that the corollary follows 
for all integers k > 2. u 

The following examples illustrate how Hensel’s lemma is applied. 

Example 4.21. Find the solutions of 

jc 3 + jc 2 + 29 = 0 (mod 25). 

Let fix) = x 3 + x 2 + 29. We see (by inspection) that the solutions of fix) = 0 (mod 5) 
satisfy x = 3 (mod 5). Because fix) = 3x 2 + 2x and /'( 3) = 33 = 3 ^ 0 (mod 5), 
Hensel’s lemma tells us that there is a unique solution modulo 25 of the form 3 + 5 1, 
where 

t = -7W(/(3)/5) (mod 5). 

Note that /'( 3) =3 = 2, because 2 is inverse to 3 modulo 5. Also note that /(3)/5 = 
65/5 = 13. It follows that t = - 2-13 = 4 (mod 5). We conclude that jc= 3 + 5- 4 = 23 
is the unique solution of fix) = 0 (mod 25). ◄ 

Example 4.22. Find the solutions of 

jc 2 + jc + 7 = 0 (mod 27). 

Let f(x) = x 2 + x + 7. We find (by inspection) that the solutions of fix) = 0 (mod 3) 
are the integers with x = 1 (mod 3). Because fix) = 2x + 1, we see that /'( 1) = 
3 = 0 (mod 3). Furthermore, because /(l) = 9 = 0 (mod 9), we can apply case (ii) of 
Hensel’s lemma to conclude that 1 + 3t is a solution modulo 9 for all integers t. This 
means that the solutions modulo 9 are jc = 1, 4, or 7 (mod 9). 

Now, by case (iii) of Hensel’s lemma, because /(l) = 9 ^ 0 (mod 27), there are no 
solutions of fix) = 0 (mod 27) with jc = 1 (mod 9). Because /( 4) = 27 = 0 (mod 27), 
by case (ii), 4 + 9tis a solution modulo 27 for all integers t. This shows that all jc = 4, 13, 
or 22 (mod 27) are solutions. Finally, by case (iii), because /(7) = 63 ^ 0 (mod 27), 
there are no solutions of /(jc) = 0 (mod 27) with jc = 7 (mod 9). 

Putting everything together, we see that all solutions of /(jc) = 0 (mod 27) are those 
jc =4, 13, or 22 (mod 27). ◄ 

Example 4.23. What are the solutions of /(jc) = jc 3 + jc 2 + 2jc + 26 = 0 (mod 343)? 
By inspection, we see that the solutions of jc 3 + jc 2 + 2jc + 26 = 0 (mod 7) are the 
integers jc = 2 (mod 7). Because /'(jc) = 3jc 2 + 2jc + 2, it follows that /'( 2) = 18 ^ 
0 (mod 7). We can use Corollary 4.15.1 to find solutions modulo l k for k = 2,3, .... 
Noting that Jf2) =4 = 2, we find that r 2 = 2- /(2)/ 7 (2) = 2 - 42 • 2 = -82 = 
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16 (mod 49), and r 3 = 16 - /(16)/'(2) = 16 - 4410 • 2 = -8804 = 114 (mod 343). 
It follows that the solutions modulo 343 are the integers x = 1 14 (mod 343). ◄ 


4.4 Exercises 

1. Find all the solutions of each of the following congruences. 

a) Jt 2 + 4* + 2 = 0 (mod 7) 

b) jc 2 + 4* + 2 = 0 (mod 49) 

c) jc 2 + 4* + 2 = 0 (mod 343) 

2. Find all the solutions of each of the following congruences. 

a) jc 3 + 8jc 2 — jc — 1 = 0 (mod 1 1) 

b) x 3 + 8jc 2 — x — 1 = 0 (mod 121) 

c) jc 3 + 8jc 2 — jc — 1 = 0 (mod 1331) 

3. Find the solutions of the congruence x 2 + x + 47 = 0 (mod 2401). (Note that 2401 = 7 4 .) 

4. Find the solutions of x 2 + x + 34 = 0 (mod 81) . 

5. Find all solutions of 13 jc 7 — 42jc — 649 = 0 (mod 1323). 

6. Find all solutions of jc 8 - x 4 + 1001 = 0 (mod 539). 

7. Find all solutions of jc 4 + 2x + 36 = 0 (mod 4375). 

8. Find all solutions of x 6 - 2x 5 - 35 = 0 (mod 6125). 

9. How many incongruent solutions are there to the congruence 5 jc 3 + jc 2 + jc + 1 = 0 (mod 64) ? 

10. How many incongruent solutions are there to the congruence x 5 + jc - 6 = 0 (mod 144)? 

11. Let a be an integer and p a prime such that (a, p) = 1. Use Hensel’s lemma to find a recursive 
formula for the solutions of the congruence cue = 1 (mod p k ), for all positive integers k. 

* 12. a) Let /(jc) be a polynomial with integer coefficients. Let p be a prime, k a positive integer, 

and j an integer such that k>2j + 1. Let a be a solution of f(a) = 0 (mod p k ), with 
pi exactly dividing f'(a). Show that if b = a (mod p k ~ j ), then f(b) = f(a ) (mod p k ), 
pi exactly divides f'(b), and there is a unique t modulo p such that f(a + tp k ~i) = 
0 (mod p k+] ). (Hint: Using a Taylor expansion, first show that f(a + tp k ~ j ) = f(a ) + 
tp k -jf(a) (mod p 2k ~ 2 j).) 

b) Show that when the hypotheses of part (a) hold, the solutions of /( jc) = 0 (mod p k ) may 
be lifted to solutions of arbitrarily high powers of p. 

* 13. How many solutions are there to jc 2 + jc + 223 = 0 (mod 3 ; ), where j is a positive integer? 

(Hint: First find the solutions modulo 3 5 and then apply Exercise 12.) 


Computations and Explorations 

1. Find all solutions of jc 4 — 13jc 3 + 1 Ijc — 3 = 0 (mod 7 8 ) . 

2. Find all solutions of x 9 + 13jc 3 - jc + 100,336 = 0 (mod 17 9 ). 
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Programming Projects 

1. Use Hensel’s lemma to solve congruences of the form f(x) = 0 (mod p n ), where fix ) is a 
polynomial, p is prime, and n is a positive integer. 


4.5 Systems of Linear Congruences 

We will consider systems of more than one congruence that involve the same number 
of unknowns as congruences, where all congruences have the same modulus. We begin 
our study with an example. 

Suppose that we wish to find all integers x and y such that both of the congruences 
3x + Ay = 5 (mod 13) 

2x + 5y = 7 (mod 13) 

are satisfied. To attempt to eliminate y, we multiply the first congruence by 5 and the 
second by 4, to obtain 

15* + 20y = 25 (mod 13) 

8* + 20y = 28 (mod 13). 

We subtract the second congruence from the first, to find that 
lx - -3 (mod 13). 

Because 2 is an inverse of 7 (mod 13), we multiply both sides of the above congruence 
by 2. This gives 

2 • lx = —2 • 3 (mod 13), 


which tells us that 


* =7 (mod 13). 


Likewise, to eliminate x, we can multiply the first congruence by 2 and the second by 3 
(of the original system), to see that 

6* + 8y = 10 (mod 13) 

6* + 15y = 21 (mod 13). 

When we subtract the first congruence from the second, we obtain 
7y = 11 (mod 13). 

To solve for y, we multiply both sides of this congruence by 2, an inverse of 7 modulo 
13. We get 

2 ■ 7y = 2 • 1 1 (mod 13), 


so that 


y = 9 (mod 13). 
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What we have shown is that any solution (x, y) must satisfy 
x = 1 (mod 13), y = 9 (mod 13). 

When we insert these congruences for x and y into the original system, we see that these 
pairs actually are solutions: 

3x + 4y = 3- 7 + 4- 9 = 57 = 5 (mod 13) 

2x + 5y = 2- 7 + 5- 9 = 59 = 7 (mod 13). 

Hence, the solutions of this system of congruences are all pairs (x, y) such that x = 
7 (mod 13) and y = 9 (mod 13). 

We now give a general result concerning certain systems of two congruences in two 
unknowns. (This result resembles Cramer’s rule for solving systems of linear equations.) 

Theorem 4.16. Let a, b, c, d, e, f, and m be integers with m > 0, and (A, m) = 1, 
where A = ad — be. Then the system of congmences 

ax + by = e (mod m) 
cx + dy = f (mod m) 
has a unique solution modulo m, given by 

x = A {de — 6/) (mod m) 
y — A (af — ce ) (mod m), 
where A is an inverse of A modulo m. 

Proof. To eliminate y, we multiply the first congruence of the system by d and the 
second by b, to obtain 

adx + bdy = de( mod m) 
bex + bdy — bf (mod m). 

Then we subtract the second congruence from the first, to find that 
{ad — bc)x =de — bf (mod m), 


or, because A = a d — be, 


A x =de — bf (mod m). 

Next, we multiply both sides of this congruence by A, an inverse of A modulo m, to 
conclude that 


x = A(de - bf) (mod m). 

In a similar way, to eliminate x, we multiply the first congruence by c and the second 
by a, to obtain 

acx + bey — ce (mod m) 
acx + ady = af (mod m). 
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We subtract the first congruence from the second, to find that 
(ad — bc)y = af — ce (mod m) 


or 


A y =af — ce (mod m). 

Finally, we multiply both sides of this congruence by A to see that 
y = A (af — ce) (mod m). 


We have shown that if (x, y) is a solution of the system of congruences, then 
x = A (de — bf ) (mod m), y = A (af — ce) (mod m). 


We can easily check that any such pair (jc, y) is a solution. When x = A (de — 
bf) (mod m) and y = A (af — ce) (mod m), we have 

ax + by = a~A(de - bf) + bA(af — ce) 

= A (ade — abf + abf — bee) 

= A (ad — bc)e 
= AAe 
= e (mod m), 
and 

cx + dy = cA(de — bf) + dA(af — ce) 

= A (ede — bef + adf — ede) 

= A (ad — bc)f 
= AA/ 

= / (mod m). 

This establishes the theorem. ■ 


By similar methods, we may solve systems of n congruences involving n unknowns. 
However, we will develop the theory of solving such systems, as well as larger systems, 
by methods taken from linear algebra. Readers unfamiliar with linear algebra may wish 
to skip the remainder of this section. 

Systems of n linear congruences involving n unknowns will arise in our subsequent 
cryptographic studies. To study such systems when n is large, it is helpful to use the 
language of matrices. We will use some of the basic notions of matrix arithmetic, which 
are discussed in most linear algebra texts. 

Before we proceed, we need to define congruences of matrices. 


Definition. Let A and B be n x k matrices with integer entries, with (i, j)th entries a t j 
and b t j , respectively. We say that A is congruent to B modulo m if a t j = b^ (mod m) for 
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all pairs (i, j ) with 1 < i < n and 1 < j < k. We write A = B (mod m) if A is congruent 
to B modulo m. 

The matrix congruence A = B (mod m) provides a succinct way of expressing the 
nk congruences a t j = b t j (mod m) for 1 < i <n and 1 < j < k. 

Example 4.24. We easily see that 

(? ,y-(i ;)<“'»■ 

The following proposition will be needed. 

Theorem 4.17. If A and B are n x k matrices with A = B (mod m), C is a k x p 
matrix, and D is a p x n matrix, all with integer entries, then AC = BC (mod m) and 
DA = DB (mod m). 

Proof. Let the entries of A and B be a t j and b t j , respectively, for 1 < i <n and 1 < j < k, 
and let the entries of C be c iy - for 1 < i < k and 1 < j < p. The (i, j)th entries of AC and 
BC are Y^t=\ a it c tj an( i Y^ t =\ ^ it c tj > respectively, for 1 < i < n and 1 < j < p. Because 
A = B (mod m), we know that a it = b it (mod m) for all i and k. Hence, by Theorem 4.4, 
we see that Y^ t =\ a it c tj = ^it c tj ( m od m). Consequently, AC = BC (mod m). 

The proof that DA = DB (mod m) is similar and is omitted. ■ 

Now let us consider the system of congruences 

a n*i + « 12*2 H b «i n x n = b i (mod m) 

021^1 + <222*2 + • • • + a 2n x n = ^2 (mod m) 


a ni x i + a n2 x 2 H b a nn x n = b n (mod m). 


Using matrix notation, we see that this system of n congruences is equivalent to the 
matrix congruence AX = B (mod m), where 


an 

a\2 ■ ■ 

. . Cli n ^ 

/ 

a 2\ 

a 22 • • 

• • a 2n 

, x=h 2 

a n 1 

a n2 •• 

■■ a nn ) 

\ X nJ 



Example 4.25. The system 


3x + Ay = 5 (mod 13) 
2x + 5y = 7 (mod 13) 


can be written as 


(2 s)(y) S (7) <m0dl3) ' 
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We now develop a method for solving congruences of the form AX = B (mod m). 
This method is based on finding a matrix A such that A A = I (mod m), where I is the 
identity matrix. 

Definition. If A and A are n x n matrices of integers and A A = A A = I (mod m), 
/> 0 • °\ 

where I = I ■ ’ ’ ' is the identity matrix of order n, then A is said to be an 

U o i) 

inverse of A modulo m. 

If A is an inverse of A and B = A (mod m), then B is also an inverse of A. This 
follows from Theorem 4.17, because BA = A A = I (mod m). Conversely, if B, and B 2 
are both inverses of A, then B, = B 2 (mod m). To see this, using Theorem 4.17 and 
the congruence BjA = B 2 A = I (mod m), we have BjABj = B 2 ABj (mod m). Because 
ABj = I (mod m), we conclude that Bj = B 2 (mod m). 

Example 4.26. Given that 

(i <)(i ;)■(» ::)■(: °) 

and 

(5 0(i 2)-(‘» ”)-(i !) 

/34\ /13\ 

we see that the matrix I ^ ^ ) i s an inverse of I ^ modulo 5. ◄ 

The following proposition gives an easy method for finding inverses for 2 x 2 
matrices. 

Theorem 4.18. Let A = ^ ^ ^ be a matrix of integers, such that A = det A = 
ad — be is relatively prime to the positive integer m. Then the matrix 

Mi ?)■ 

where A is the inverse of A modulo m, is an inverse of A modulo m. 

Proof. To verify that the matrix A is an inverse of A modulo m, we need only verify 
that AA = AA = I (mod m). 


To see this, note that 
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Mi 

Mr; 

be 

0 ) 
-be + ad J 

III 

>1 

0 > 

> 0 

III 

A)-(2 

’) 

= I (mod m) 

- A — / d 

—b\(a b' 

\ (ad- 

be 

0 ^ 

AA “ A (-C 

a ) \c d 

H( 0 

—be + ad ) 

III 

>1 

0 > 

> 0 

III 

\ = 1 1 

AA )~\0 

:) 

= I (mod m), 


where A is an inverse of A (mod m), which exists because (A , m) = 1 . ■ 

/ 3 4 \ 

Example 4.27. Let A = ( ^ 5 )■ Because 2 is an inverse of det A = 7 modulo 13 , 
we have 

Mi ?)-('" ?)-(? . 

To provide a formula for an inverse of an n x n matrix, where n is a positive integer 
greater than 2 , we need a result from linear algebra. It involves the notion of the adjoint 
of a matrix, which is defined as follows. 

Definition. The adjoint of an n x n matrix A is the n x n matrix with (i, 7 )th entry 
Cj h where C ;; - is times the determinant of the matrix obtained by deleting the 

ith row and 7 th column from A. The adjoint of A is denoted by adj (A), or simply adj A. 

Theorem 4.19. If A is an n x n matrix with det A^O, then A (adj A) = (det A)I, 
where adj A is the adjoint of A. 

Using this theorem, the following theorem follows readily. 

Theorem 4.20. If A is an n x n matrix with integer entries and m is a positive integer 
such that (det A, m) = 1 , then the matrix A = A (adj A) is an inverse of A modulo m, 
where A is an inverse of A = det A modulo m. 

Proof. If (det A, m) = 1 , then we know that det A^O. Hence, by Theorem 4 . 19 , we 
have 


A (adj A) = (det A)I = AI. 

Because (det A, m) = 1 , there is an inverse A of A = det A modulo m. Hence, 
A(A adj A) = A • (adj A) A = A AI = I (mod m), 
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and 


A (adj A)A = A ((adj A)A) = AAI = I (mod m). 
This shows that A = A (adj A) is an inverse of A modulo m. 


Example 4.28. Let 



. Then det A = —5. Furthermore, we have 


(det A, 7) = 1, and we see that 4 is an inverse of det A = — 5 (mod 7). Consequently, we 
find that 


( -2-3 5 \ / -8 

-5 0 10 = I -20 

4 1 -10 / \ 16 


-12 20 \ / 6 2 6 \ 

0 40 I = I 1 0 5 I (mod 7). 

4 -40 / \ 2 4 2 / 


We can use an inverse of A modulo m to solve the system 
AX = B (mod m), 

where (det A, m) = 1. By Theorem 4. 17, when we multiply both sides of this congruence 
by an inverse A of A, we obtain 

A (AX) = AB (mod m ) 

(AA)X = AB (mod m) 

X = AB (mod m). 

Hence, we find the solution X by forming AB (mod m ). 

Note that this method provides another proof of Theorem 4.16. To see this, let 
AX = B, where A = ^ ^ X = ^ and B = ^ If A = det A = ad — be 
is relatively prime to m, then 

(;)=x-ab-a( - ?)(;) =a(* : v) onod-j. 

This demonstrates that (jc, y) is a solution if and only if 

x = A (de - bf) (mod m), y = A (af - ce) (mod m). 

Next, we give an example of the solution of a system of three congruences in three 
unknowns using matrices. 

Example 4.29. We consider the system of three congruences 
2x 1 + 5x 2 + 6x 3 = 3 (mod 7) 

2x x + x 3 = 4 (mod 7) 

X! + 2x 2 + 3*3 = 1 (mod 7). 
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This is equivalent to the matrix congruence 


3 

I 4 


(mod 7). 


(:•!)(■) 

(6 2 

ix I 1 0 

nm-m 


We have previously shown that the matrix 
(mod 7). Hence, we have 


is an inverse of 


m 


x l 

*2 I = 


(mod 7). 


Before leaving this subject, we should mention that many methods for solving sys- 
tems of linear equations may be adapted to solve systems of congruences. For instance, 
Gaussian elimination may be adapted to solve systems of congruences, where division 
is always replaced by multiplication by inverses modulo m . Also, there is a method for 
solving systems of congruences analogous to Cramer’s rule. We leave the development 
of these methods as exercises for those readers familiar with linear algebra. 


.5 Exercises 

1. Find the solutions of each of the following systems of linear congruences. 

a) x + 2y = 1 (mod 5) b) x + 3y = 1 (mod 5) c) 4x + y = 2 (mod 5) 

2x + y = 1 (mod 5) 3x + 4y = 2 (mod 5) 2x + 3y= l (mod 5) 

2. Find the solutions of each of the following systems of linear congruences, 

a) 2x + 3y = 5 (mod 7) b) 4x + y = 5 (mod 7) 

x + 5y = 6 (mod 7) x + 2y =4 (mod 7) 

3. What are the possibilities for the number of incongruent solutions of the system of linear 
congruences 

ax + by = c (mod p ) 
dx +ey = f (mod p), 

where p is a prime and a, b, c, d, e, and / are positive integers? 

4. Find the matrix C such that 

C ={1 OO i) (mod5) 

and all entries of C are nonnegative integers less than 5. 

5. Use mathematical induction to prove that if A and B are n x n matrices with integer entries 
such that A = B (mod m), then A* = B* (mod m ) for all positive integers k. 

A matrix A / I is called involutory modulo m if A 2 = I (mod m). 
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6. Show that ^ ^ ^ ^ is involutory modulo 26. 

7. Prove or disprove that if A is a 2 x 2 involutory matrix modulo m, then det A = ±1 (mod m). 

8. Find an inverse modulo 5 of each of the following matrices. 


a) 





9. Find an inverse modulo 7 of each of the following matrices. 



10. Using Exercise 9, find all the solutions of each of the following systems. 

a) x + y = 1 (mod 7) b) x + 2y + 3z = 1 (mod 7) c)x + y + z = l (mod 7) 
x + z = 2 (mod 7) x + 2y + 5z = 1 (mod 7) x + y + ui = 1 (mod 7) 

y + z = 3 (mod 7) x + 4y + 6z = 1 (mod 7) x + z + w = 1 (mod 7) 

y + z + w = 1 (mod 7) 

11. How many incongruent solutions does each of the following systems of congruences have? 

a) x + y + z = 1 (mod 5) c) 3x + y + 3z = 1 (mod 5) 

2x + 4y + 3z = 1 (mod 5) x + 2y + 4z = 2 (mod 5) 

4x + 3y + 2z = 3 (mod 5) 


b) 2x +3 y + z = 3 (mod 5) $) 2x+ y + z = \ (mod 5) 

x + 2y + 3z = l (mod 5) x + 2y + z = \ (mod 5) 

2x + z = l (mod 5) x + y + 2z = 1 (mod 5) 

* 12. Develop an analogue of Cramer’s rule for solving systems of n linear congruences in n 

unknowns. 

* 13. Develop an analogue of Gaussian elimination to solve systems of n linear congruences in m 

unknowns (where m and n may differ). 

A magic square is a square array of integers with the property that the sum of the integers in a 
row or in a column is always the same. In this exercise, we present a method for producing magic 
squares. 

* 14. Show that the n 2 integers 0, 1, . . . , n 2 — 1 are put into the n 2 positions of an n x n square, 

without putting two integers in the same position, if the integer k is placed in the ith row and 
jth column, where 

i = a + ck + e[k/n] (mod n), 
j = b + dk + f[k/n ] (mod n ), 

1 < i < n, 1 < j < n, and a, b, c, d, e, and / are integers with (c/ — de , n) = 1. 
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* 15. Show that a magic square is produced in Exercise 14 if (c, n) = (d, n) = (e, n) = (/, n) = 1. 

* 16. The positive and negative diagonals of an n x n square consist of the integers in positions 

(i, j), where i + j = k (mod n) and i — j =k (mod n), respectively, where k is a given 
integer. A square is called diabolic if the sum of the integers in a positive or negative diagonal 
is always the same. Show that a diabolic square is produced using the procedure given in 
Exercise 14 if (c + d, n) = (c — d, n) = (e + f, n) = (e — f, n) = 1. 


Computations and Explorations 

1. Produce 4 x 4, 5 x 5, and 6x6 magic squares. 

Programming Projects 

1. Find the solutions of a system of two linear congruences in two unknowns using Theorem 
4.15. 

2. Find inverses of 2 x 2 matrices using Theorem 4.17. 

3. Find inverses of n x n matrices using Theorem 4.19. 

4. Solve systems of n linear congruences in n unknowns using inverses of matrices. 

5. Solve systems of n linear congruences in n unknowns using an analogue of Cramer’s rule 
(see Exercise 12). 

6. Solve systems of n linear congruences in m unknowns using an analogue of Gaussian 
elimination (see Exercise 13). 

7. Given a positive integer, produce an n x n magic square by the method given in Exercise 14. 


4.6 Factoring Using the Pollard Rho Method 

In this section, we will describe a factorization method based on congruences that was de- 
veloped in 1974 by J. M. Pollard. Pollard called this technique the Monte Carlo method, 
because it relies on generating integers that behave as though they were randomly chosen; 
it is now commonly known as the Pollard rho method, for reasons that will be explained. 

Suppose that n is a large composite integer and that p is its smallest prime divisor. 
Our goal is to choose integers x Q , x h . . . , x s so that these integers have distinct least 
nonnegative residues modulo n, but where their least nonnegative residues modulo p are 
not all distinct. As can be seen using probabilistic arguments (see [Ri94]), this is likely 
to be the case when s is large compared to yfp but small when compared to *Jn, and the 
numbers are chosen randomly. 

Once we have found integers x t and Xj, 0 < i < j < s, such that x t = Xj (mod p) 
but x t ^ Xj (mod n), it follows that (jc,- — Xj, n) is a nontrivial divisor of n, as p divides 
x t — Xj, but n does not. The number ( jc ,- — Xj, n) can be found quickly using the 
Euclidean algorithm. However, to find (x t — Xj, n) for each pair ( i , j ) with 0 < i < j <s 




Congruences 


requires that we find 0(s 2 ) greatest common divisors. We will show how to reduce the 
number of times we must use the Euclidean algorithm. 

To find such integers jq and jcy , we use the following procedure: We start with a seed 
value jc 0 that is chosen randomly and a polynomial function / (jc) with integer coefficients 
of degree greater than 1. We compute the terms x k , k = 1, 2, 3, . . . , using the recursive 
definition 


*k + 1 = f(x k ) (mod n ), 0 < x k+l < n. 

The polynomial fix) should be chosen so that the probability is high that a suitably large 
number of integers jc f - are generated before they repeat. Empirical evidence indicates 
that the polynomial /(jc) = x 2 + 1 performs well for this test. The following example 
illustrates how this sequence is generated. 

Example 4.30. Let n = 805 1, and suppose that jc 0 = 2 and / (jc) = jc 2 + 1. We find that 
jc! = 5, jc 2 = 26, jc 3 = 677, jc 4 = 7474, jc 5 = 2839, jc 6 = 871, and so on. ◄ 


Now, note that by the recursive definition of x k , it follows that if 
jc,- = jc j (mod d), 


where d is a positive integer, then 

*;+l = /(*«) = f(*j) = x j+ 1 (mod d). 

It follows that if jc ; = Xj (mod d), then the sequence jc*. becomes periodic modulo d with 
a period dividing j — i. That is, x q = x r (mod d) whenever q = r (mod j — i) , and q > i 
and r > i. It follows that if s is the smallest multiple of j — i that is at least as large as 
i, then jc s = JC25 (mod d). 

It follows further that to look for a factor of n, we find the greatest common divisor 
of x 2k — x k and n for k = 1, 2, 3, . . . . We have found a factor of n when we have found 
a value k for which 1 < (x lk — x k , n ) < n. From our observations, we see that it is likely 
that we will find such an integer k with k close to ^fp. 

In practice, when the Pollard rho method is used, the polynomial / (jc) = jc 2 + 1 is 
often chosen to generate the sequence of integers jc 0 ,jc!,jc 2 , . . . ,x k , . . . .Furthermore, 
the seed jc 0 = 2 is often used. This choice of polynomial and seed produces a sequence 
that behaves much like a random sequence for the purposes of this factorization method. 

Example 4.31. We use the Pollard rho method with seed jc 0 = 2 and generator poly- 
nomial /(jc) = jc 2 + 1 to find a nontrivial factor of n = 8051. We find that jc x = 5, 
jc 2 = 26, jc 3 = 677, jc 4 = 7474, jc 5 = 2839, jc 6 = 871. Using the Euclidean algorithm, it 
follows that (jc 2 - jcj, 8051) = (26 - 5, 8051) = (21, 8051) = 1 and (jc 4 - jc 2 , 8051) = 
(7474 - 26, 8051) = (7448, 8051) = 1. However, we find a nontrivial factor of 8051 at 
the next step, as (jc 6 - jc 3 , 8051) = (871 - 677, 8051) = (194, 8051) = 97. We see that 
97 is a factor of 805 1. ◄ 
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To see why this method is called the Pollard rho method, look at Figure 4.1. 
This figure shows the periodic behavior of the sequence x h where x 0 = 2 and x i+l = 
x f + 1 (mod 97), i > 1. The part of this sequence that occurs before the periodicity is the 
tail of the rho, and the loop is the periodic part. 

The Pollard rho method has proved to be practical for the factorization of integers 
with moderately large prime factors. In practice, the first attempt to factor a large integer 
is to do trial division by small primes, say, by all primes less than 10,000. Next, the 
Pollard rho method is used to look for prime factors of intermediate size (up to 10 15 , 
for instance). Only after trial division by small primes and the Pollard rho method have 
failed are the really big guns brought in, such as the quadratic sieve or the elliptic curve 
method. 


Exercises 

1. Use the Pollard rho method with x 0 = 2 and /( jc) = x 2 + 1 to find the prime factorization of 
each of the following integers. 

a) 133 c) 1927 e) 36,287 

b) 1189 d) 8131 f) 48,227 

2. Use the Pollard rho method to factor the integer 1387, with the following seeds and generating 
polynomials. 

a) x 0 = 2, /( x) = x 2 +l c) x 0 = 2, f(x) = x 2 -\ 

b) jc 0 = 3, f(x) = x 2 + 1 d) jc 0 = 2, f(x) = x 3 + x + 1 

3. Explain why the choice of /(jc) as a linear polynomial, that is, a function of the form 
/( jc) = ax + b, where a and b are integers, is a poor choice. 
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Computations and Explorations 

1. Use the Pollard rho method to factor ten different integers that have between 15 and20 decimal 
digits. 

2. Use the Pollard rho method to factor a large number of integers that are close to 100,000, 
keeping track of the number of steps required. Can you make any conjectures based on your 
data? 

3. Factor 2 58 + 1 using the Pollard rho method. 

Programming Projects 

1. Given a positive integer n, find a prime factor of this integer using the Pollard rho method. 
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C ongruences have diverse applications. We have already seen some examples of 
this, such as in Section 4.3, where we saw how large integers can be multiplied 
on a computer using congruences. This chapter covers a wide variety of interesting 
applications of congruences. First, we will show how congruences can be used to develop 
divisibility tests, such as the simple tests you may already know for checking whether an 
integer is divisible by 3 or by 9. Next, we will develop a congruence that determines the 
day of the week for any date in history. Then, we will show how congruences can be used 
to schedule round-robin tournaments. We will discuss some applications of congruences 
in computer science; for example, we will show how congmences are used in hashing 
functions, which themselves have many applications, such as determining computer 
memory locations where data is stored. Finally, we will show how congruences can 
be used to construct check digits, which are used to determine whether an identification 
number has been copied in error. 

In subsequent chapters, we will discuss additional applications of congruences. For 
example, in Chapter 8, we will show how congruences can be used in different ways to 
make messages secret, and in Chapter 10, we will show how congmences can be used 
to generate pseudorandom numbers. 


5.1 Divisibility Tests 

You may have learned in primary school that to check whether an integer is divisible by 
3, you need only check whether the sum of its digits is divisible by 3. This is an example 
of a divisibility test that uses the digits of an integer to check whether it is divisible 
by a particular divisor, without actually dividing the integer by that possible divisor. 
In this section, we will develop the theory behind such tests. In particular, we will use 
congruences to develop divisibility tests for integers based on their base b expansions, 
where bis a positive integer. Taking b— 10 will give us the well-known tests for checking 
integers for divisibility by 2, 3, 4, 5, 7, 9, 11, and 13. Although you may have learned 
these divisibility tests a long time ago, you will leam why they work here. 

Divisibility by Powers of 2 First, we develop tests for divisibility by powers of 2. 
Let n = 32,688,048. It is easy to see that n is divisible by 2 since its last digit is even. 
Consider the following questions. Does 2 2 = 4 divide nl Does 2 3 = 8 divide nl Does 
2 4 = 16 divide n? What is the highest power of 2 that divides nl We will develop a test 
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that does not require that we actually divide n by 4, 8, and successive powers of 2, which 
answers these questions. 

In the following discussion, let n = (a k a k _i . . . aia 0 )io- Then n = a k 10*+ 
a k _i 10* _1 H 1- cqlO + a 0 , with 0 < dj < 9 for j = 0, 1, 2, . . . , k. 

Because 10 = 0 (mod 2), it follows that 10 J = 0 (mod V) for all positive integers j. 
Hence, 

n = (« 0 )io (mod 2), 
n = (aia 0 ) 10 (mod 2 2 ), 
n = (a 2 a l aQ) l Q (mod 2 3 ), 


n = (a k _ia k _ 2 . . . « 2 a i a o)io (mod 2*). 

These congruences tell us that to determine whether an integer n is divisible by 2, we 
only need to examine its last digit for divisibility by 2. Similarly, to determine whether 
n is divisible by 4, we only need to check the integer made up of the last two digits of 
n for divisibility by 4. In general, to test n for divisibility by 2 ; , we only need to check 
the integer made up of the last j digits of n for divisibility by V . 

Example 5.1. Let n = 32,688,048. We see that 2 | n because 2 | 8, 4 | n because 
4 | 48, 8 | n because 8 | 48, 16 | n because 16 | 8048, but 32 / n since 32 / 88,048. ◄ 

Divisibility by Powers of 5 Next, we develop divisibility tests for powers of 5. 

To develop tests for divisibility by powers of 5, first note that because 
10 = 0 (mod 5), we have 10 7 = 0 (mod &). Hence, divisibility tests for powers of 5 
are analogous to those for powers of 2. We only need to check the integer made up of 
the last j digits of n to determine whether n is divisible by 5L 

Example 5.2. Let n = 15,535,375. Because 5 | 5, 5 | n, because 25 | 75, 25 | n, because 
125 | 375, 125 | n, but because 625 / 5375, 625 / n. ◄ 

Divisibility by 3 and 9 Next, we develop tests for divisibility by 3 and by 9. 

Note that both the congruences 10 = 1 (mod 3) and 10 = 1 (mod 9) hold. Hence, 
10* = 1 (mod 3) and 10* = 1 (mod 9). This gives us the useful congruences 

( a k a k- 1 ' ' ' a i a o)\o = tffclO* + a*_i 10* 1 + • • • + ajlO + a 0 

= a k + a k- 1 H 1 ~ai + a 0 (mod 3) and (mod 9). 

Hence, we only need to check whether the sum of the digits of n is divisible by 3, or by 
9, to see whether n is divisible by 3, or by 9, respectively. 


Example 5.3. Let n = 4,127,835. Then, the sum of the digits ofnis4+l + 2 + 7 + 
8 + 3 + 5 = 30. Because 3 | 30 but 9 / 30, 3 | n but 9 / n. ◄ 
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Divisibility by 1 1 A rather simple test can be found for divisibility by 1 1. 

Because 10 = — 1 (mod 11), we have 

(dk a k-i • • • a i^o)io — fljfclO* + a/fc-ilO* 1 + • • • + a\ 10 + oq 

= <**(-1)* + a k _ i(-l)*- 1 + fll + a 0 (mod 11). 

This shows that (a k a k _i . . . «i«o) to is divisible by 1 1 if and only if a Q — a 1 + a 2 — ■ ■ ■ + 
(—l) k a k , the integer formed by alternately adding and subtracting the digits, is divisible 
by 11. 

Example 5.4. We see that 723,160,823 is divisible by 11, because alternately adding 
and subtracting its digits yields 3-2+8-0+6- 1 + 3- 2 + 7 = 22, which is di- 
visible by 1 1. On the other hand, 33,678,924 is not divisible by 1 1, because 4 - 2 + 9 - 
8 + 7- 6 + 3- 3 = 4isnot divisible by 1 1. ◄ 

Divisibility by 7, 11, and 1 3 Next, we develop a test to simultaneously check for 
divisibility by the primes 7, 1 1, and 13. 

Note that 7 • 11 • 13 = 1001 and 10 3 = 1000 = -1 (mod 1001). Hence, 

ifl. k a k -\ . . . ao)io = tfjfclO* + fljt-ilO* -1 -| 1- £^10 + a Q 

= (oq + lOflj + 100^2) + 1000(a 3 + 10fl4 + 100a 5 ) 

+ (1000) 2 (a 6 + lOfl^ + lOOag) + • • • 

= (100a 2 + 10fli + ao) — (100a 5 + 10a 4 + a 3 ) 

+ (lOOag + 10fl7 + a^) — • • • 

= (fl2 a l a o)lO — ( a 5 a 4 a 3)l0 + ( a 8 a 7 a 6)l0 ~ ' ' ' (mod 1001). 

This congruence tells us that an integer is congruent modulo 1001 to the integer formed 
by successively adding and subtracting the three-digit integers with decimal expansions 
formed from successive blocks of three decimal digits of the original number, where 
digits are grouped starting with the rightmost digit. As a consequence, because 7, 1 1, 
and 13 are divisors of 1001, to determine whether an integer is divisible by 7, 1 1, or 13, 
we only need to check whether this alternating sum and difference of blocks of three 
digits is divisible by 7, 1 1, or 13. 

Example 5.5. Let n = 59,358,208. Because the alternating sum and difference of the 
integers formed from blocks of three digits, 208 — 358 + 59 = — 9 1, is divisible by 7 and 
13, but not by 1 1, we see that n is divisible by 7 and 13, but not by 1 1. ◄ 

Another way to test for divisibility by 7, 11, 13, or indeed, any integer relatively 
prime to 10, is developed in the exercises. 

Divisibility Tests Using Base b Representations All of the divisibility tests we have 
developed thus far are based on decimal representations. We now develop divisibility 
tests using base b representations, where b is a positive integer. 



194 Applications of Congruences 


Theorem 5.1. If d \ b and j and k are positive integers with j < k, then (a k • ■ ■ aia 0 ) b 
is divisible by d,i if and only if (a y _ j ■ ■ ■ aia Q ) b is divisible by df 

Proof. Because b = 0 (mod d ), it follows that b 1 = 0 (mod di). Hence, 

( a k a k- 1 ' ' ' a i a o )b = a kb k + ■ • • + afej + aj-ib j 1 + • • • + af) + oq 

= aj_ib j ~ l H Vafb + ciQ 

= («,-_! • • • a x a Q ) b (mod d*). 

Consequently, J- 7 | (a k a k _i • • • aia 0 ) b if and only if di \ (aj _ i • • • a\a Q ) b . m 

Theorem 5.1 extends to other bases the divisibility tests of integers expressed in 
decimal notation by powers of 2 and by powers of 5. 

Theorem 5.2. If d \ (b — 1), then n = (a k . . . aia 0 ) b is divisible by d if and only if the 
sum of digits a k + • • • + aj + Oq is divisible by d. 

Proof. Because d \ (b — 1), we have b = 1 (mod d), so that by Theorem 4.8 we have 
W = 1 (mod d) for all positive integers j. Hence, n = (a k . . . aia Q ) b = a k b k + • • • + 
a f> + a 0 = a k + ■ ■ ■ + a x + a 0 (mod d). This shows that d \ n if and only if d \ (a k + 

h fli + a 0 ). ■ 

Theorem 5.2 extends to other bases the tests for divisibility of integers expressed in 
decimal notation by 3 and by 9. 

Theorem 5.3. If d \ (b + 1), then n = (a k . . . aia 0 ) b is divisible by d if and only if the 
alternating sum of digits (— 1 ) k a k + ■ ■ ■ — a\ + a 0 is divisible by d. 

Proof. Because d \(b + 1), we have b = — 1 (mod d). Hence, W = (— l) y (mod d), and 
consequently, n = (a k . . . aia 0 ) b = (—1)*^ + • • • — aj + a 0 (mod d). Hence, d \ n if 
and only if d \ ((-l) fc «*; 4 ai + a Q ). ■ 

Theorem 5.3 extends to other bases the test for divisibility by 1 1 of integers expressed 
in decimal notation. 

Example 5.6. Let n = (7F28 A6) 16 (in hex notation). Here, the base is b = 16. Because 
2 | 16, we can apply Theorem 5. 1 to test for divisibility by powers of 2. We see that 2 | n 
because 2 divides the last digit 6. But 2 2 = 4 does not divide n, because 4 / (A6) 16 = 
(166) 10 . 

Because^? — 1 = 15 = 3 • 5, we can apply Theorem 5.2, to test for divisibility by 3, 5, 
and 15. Note that the sum of the digits ofnis7 + F + 2+ 8 + A + 6 = (30) 16 = (48) 10 . 
Because 3 | 48, but 5/48 and 15 / 48, Theorem 5.2 tells us that 3 | n, but 5 / n and 
15 / n. 

Because b + 1 = 17, we can apply Theorem 5.3 to test for divisibility by 17. Note 
the alternating sum of the digits is 6 — A + 8 — 2 + F — 7 = (A) 16 = (10) 10 . Because 
17 / 10, Theorem 5.3 tells us that 17 / n. ◄ 

Example 5.7. Let n = (1001001 111) 2 . Then, using Theorem 5.3 we see that 3 | n, 
because n = l- l+ l- l + 0- 0+ l- 0 + 0- l = 0 (mod 3) and 3 | (2 + 1). ◄ 
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5.1 Exercises 

1. Determine the highest power of 2 that divides each of the following positive integers. 

a)201,984 b) 1,423,408 c) 89,375,744 d) 41,578,912,246 

2. Determine the highest power of 5 that divides each of the following positive integers, 

a) 1 12,250 b) 4,860,625 c) 235,555,790 d) 48, 126,953, 125 

3. Which of the following integers are divisible by 3? Of those that are, which are divisible 
by 9? 

a) 18,381 b) 65,412,351 c) 987,654,321 d) 78,918,239,735 

4. Which of the following integers are divisible by 1 1? 

a) 10,763,732 b) 1,086,320,015 c) 674,310,976,375 d) 8,924,310,064,537 

5. Find the highest power of 2 that divides each of the following integers. 

a) (101111110) 2 b) (1010000011) 2 c) (111000000) 2 d) (101 1011 101) 2 

6. Determine which of the integers in Exercise 5 are divisible by 3. 

7. Which of the following integers are divisible by 2? 

a) (1210122)3 b) (211102101)3 c) (11 12201 112) 3 d) (1012222201 1101) 3 

8. Which of the integers in Exercise 7 are divisible by 4? 

9. Which of the following integers are divisible by 3, and which are divisible by 5? 

a) (3EA235) 16 b) (ABCDEF) 16 c) (FI 17921 173) 16 d) (10AB987301F) 16 

10. Which of the integers in Exercise 9 are divisible by 17? 

(3 A repunit is an integer with decimal expansion containing all Is. 

11. Determine which repunits are divisible by 3, and which are divisible by 9. 

12. Determine which repunits are divisible by 1 1. 

13. Determine which repunits are divisible by 1001. Which are divisible by 7? by 13? 

14. Determine which repunits with fewer than 10 digits are prime. 

A base b repunit is an integer with base b expansion containing all Is. 

15. Determine which base b repunits are divisible by factors of b — 1. 

16. Determine which base b repunits are divisible by factors of b + 1. 

A base b palindromic integer is an integer whose base b representation reads the same 
forward and backward. 

17. Show that every decimal palindromic integer with an even number of digits is divisible 
by 11. 

18. Show that every base 7 palindromic integer with an even number of digits is divisible by 8. 

19. Develop a test for divisibility by 37, based on the fact that 10 3 = 1 (mod 37). Use this to check 
443,692 and 1 1,092,785 for divisibility by 37. 
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20. Devise a test for integers represented in base b notation to check for divisibility by n, where 
n is a divisor of b 2 + 1. (Hint: Split the digits of the base b representation of the integer into 
blocks of two, starting on the right.) 

21. Use the test that you developed in Exercise 20 to decide whether 

a) (101 1 101 10) 2 is divisible by 5. 

b) (1 2100122)3 i s divisible by 2, and whether it is divisible by 5. 

c) (364701244) 8 is divisible by 5, and whether it is divisible by 13. 

d) (5837041320219) 10 is divisible by 101. 

22. An oldreceipthas faded. Itreads88chickensatatotalof$jc4.2;y, where* and y are unreadable 
digits. How much did each chicken cost? 

23. Use a congruence modulo 9 to find the missing digit, indicated by a question mark: 89,878 • 
58,965 = 5299 ? 56270. 

24. Suppose that n — 31,888,X74, where X is a missing digit. Find all possible values of X so 
that n is divisible by each of these integers: 

a) 2 c) 4 e) 9 

b) 3 d) 5 f) 11 

25. Suppose thatn = 917,4X8,835, where X is a missing digit. Find all possible values of X so 
that n is divisible by each of these integers: 

a) 2 c) 5 e) 11 

b) 3 d) 9 f ) 25 

We can check a multiplication c — ab by determining whether the congruence c = ab (mod m) is 
valid, where m is any modulus. If we find that c is not congruent to ab modulo m, then we know 
that an error has been made. When we take m — 9 and use the fact that an integer in decimal 
notation is congruent modulo 9 to the sum of its digits, this check is called casting out nines. 

26. Check each of the following multiplications by casting out nines. 

a) 875,961 • 2753 = 2,410,520,633 

b) 14,789 • 23,567 = 348,532,367 

c) 24,789 • 43,717 = 1,092,700,713 

27. Is a check of a multiplication by casting out nines foolproof? 

28. What combinations of digits of a decimal expansion of an integer are congruent to this integer 
modulo 99? Use your answer to devise a check for multiplication based on casting out ninety- 
nines. Then use the test to check the multiplications in Exercise 26. 

29. In this exercise, we develop a general approach for constructing divisibility tests. Suppose 
that n = (a k a k _i . . . a^) i 0 and d is a positive integer with (d, 10) = 1. First, show that if 
e is an inverse of 10 modulo d, then d \ n if and only if d \ nl = (n — a 0 )/10 + ea 0 . Use 
this fact to show that we can determine whether n is divisible by d by forming the sequence 
71,71', ( ti ')', . . ., until we reach a term that we can examine by hand to determine whether it 
is divisible by d. 

30. Use Exercise 29 to develop a test for divisibility by each of these integers: 

a) 7 b) 11 c) 17 d) 23 
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31. Use Exercise 29 to develop a test for divisibility by each of these integers: 

a) 13 b) 19 c) 21 d) 27 

32. Use the tests you developed in Exercise 30 to determine which of 7, 11, 17, and 23 divide 
these numbers. 

a) 851 b) 8,694 c) 20,493 d) 558,851 

33. Use the tests you developed in Exercise 31 to determine which of 13, 19, 21, and 27 divide 
these numbers. 

a) 798 b) 2,340 c) 34,257 d) 348,327 

Computations and Explorations 

1. Determine whether the repunit with n digits is prime, where n is a positive integer not 
exceeding 30. Can you go further? 

Programming Projects 

1. Given a positive integer n, determine the highest powers of 2 and of 5 that divide n. 

2. Given a positive integer n, test n for divisibility by 3, 7, 9, 11, and 13. (Use congruences 
modulo 1001 for divisibility by 7 and 13.) 

3. Given a positive integer n, determine the highest power of each factor of b that divides an 
integer from the base b expansion of n. 

4. Given a positive integer n and a base b, use the base b expansion of n to determine whether 
it is divisible by factors of b — 1 and of b + 1 . 


5.2 The Perpetual Calendar 

In this section, we derive a formula that gives us the day of the week of any day of any 
year. Because the days of the week form a cycle of length seven, we use a congruence 
modulo 7. We denote each day of the week by a number in the set 0, 1, 2, 3, 4, 5, 6, 
setting 

• Sunday = 0, • Wednesday = 3, • Saturday = 6. 

• Monday = 1, • Thursday = 4, 

• Tuesday = 2, • Friday = 5, 

Julius Caesar changed the Egyptian calendar, which was based on a year of exactly 
365 days, to a new calendar, called the Julian calendar, with a year of average length 
365 V4 days, with leap years every fourth year, to better reflect the true length of the 
year. However, more recent calculations have shown that the true length of the year is 
approximately 365.2422 days. As the centuries passed, the discrepancies of 0.0078 days 
per year added up, so that by the year 1582 approximately 10 extra days had been added 
unnecessarily in leap years. To remedy this, in 1582 Pope Gregory set up a new calendar. 
First, 10 days were added to the date, so that October 5, 1582, became October 15, 1582 
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(and the 6th through the 14th of October were skipped). It was decided that leap years 
would be precisely the years divisible by 4, except that those exactly divisible by 100, 
the years that mark centuries, would be leap years only when divisible by 400. As an 
example, the years 1700, 1800, 1900, and 2100 are not leap years, but 1600 and 2000 
are. With this arrangement, the average length of a calendar year became 365.2425 days, 
rather close to the true year of 365.2422 days. An error of 0.0003 days per year remains, 
which is 3 days per 10,000 years. In the future, this discrepancy will have to be accounted 
for, and various possibilities have been suggested to correct for this error. 

In dealing with calendar dates for various parts of the world, we must also take into 
account the fact that the Gregorian calendar was not adopted everywhere in 1582. In 
Britain and what is now the United States, the Gregorian calendar was adopted only in 
1752, and by then it was necessary to add 11 days. In these places September 3, 1752, 
in the Julian calendar became September 14, 1752, in the Gregorian calendar. Japan 
changed over in 1873, Russia and nearby countries in 1917, while Greece held out until 
1923. 

We now set up our procedure, called the perpetual calendar, for finding the day of the 
week for a given date in the Gregorian calendar. We first must make some adjustments, 
because the extra day in a leap year comes at the end of February. We take care of this 
by renumbering the months, starting each year in March, and considering the months 
of January and February part of the preceding year. For instance, February 2000 is 
considered the twelfth month of 1999, and May 2000 is considered the third month 
of 2000. With this convention, for the day of interest, let 

• k - day of the month, 

• m - month, 
with 

January =11 
February =12 
March = 1 
April = 2 

• N = year, 

where N is the current year unless the month is January or February in which case 
N is the previous year, and where N = 100C + Y, where 

• C = century, 

• Y = particular year of the century. 

Example 5.8. For the date April 3, 1951, we have k = 3, m = 2, N = 1951, C = 19, 
and Y = 51. But note that for February 28, 1951, we have k = 28, m = 12, N = 1950, 
C = 19, and Y = 50, because, for our calculations, we consider February to be the twelfth 
month of the previous year. ◄ 

We use March 1 of each year as our basis. Let d N represent the day of the week of 
March 1 in year N. We start with the year 1600, and compute the day of the week March 


May = 3 
June = 4 
July = 5 
August = 6 


September = 7 
October = 8 
November = 9 
December = 10 
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1 falls on in any given year. Note that between March 1 of year N — 1 and March 1 of 
year N, if year N is not a leap year, 365 days have passed; and because 365 = 1 (mod 7), 
we see that d N = d N - 1 + 1 (mod 7), whereas if year N is a leap year, because there is 
an extra day between the consecutive firsts of March, we see that 


dfj — dfj_ i + 2 (mod 7). 

Hence, to find d N from 7600* we must first find out how many leap years have occurred 
between the year 1600 and the year N (not including 1600, but including N); let us 
call this number x. To compute x, first note that by the division algorithm there are 
[(N - 1600)/4] years divisible by 4 between 1600 and N, there are [(N — 1600)/100] 
years divisible by 100 between 1600 and N, and there are [(TV - 1600)/400] years 
divisible by 400 between 1600 and N. Hence, 

x = [(N - 1600)/4] - [(N - 1600)/100] + [(JV - 1600)/400] 

= [N/ 4] - 400 - [iV/100] + 16 + [JV/400] - 4 
= [iV/4] - [N/100] + [JV/400] - 388. 

(We have used the identity from Example 1.4 to simplify this expression.) Putting this 
in terms of C and 7, we see that 

x = [25C + (y/4)] - [C + (F/lOO)] + [(C/4) + (y/400)] - 388 
= 25C + [7/4] - C + [C/4] - 388 
= 3C + [C/4] + [y/4] - 3 (mod 7). 

Here we have again used the identity from Example 1.4, the inequality 7/100 < 1, and 
the equation [(C/4) + (y/400)] = [C/4] (which follows from Exercise 27 of Section 
1.5, because 7/400 < 1/4). 

We can now compute d N from 7600 by shifting 7600 by one day for every year that 
has passed, plus an extra day for each leap year between 1600 and N. This gives the 
following formula: 

Tv = 7600 + N — 1600 + x 

= 7600 + 100C + y - 1600 + 3C + [C/4] + [y/4] - 3 (mod 7). 
Simplifying, we have 

d N = <*1600 - 2C + 7 + [C/4] + [7/4] (mod 7). 

Now that we have a formula relating the day of the week for March 1 of any year to the 
day of the week of March 1, 1600, we can use the fact that March 1, 1982, is a Monday 
to find the day of the week of March 1, 1600. For 1982, because N = 1982, we have 
C = 19, and 7 = 82, and since 7982 = 1. it follows that 

1 = 7 600 - 38 + 82 + [19/4] + [82/4] = d l600 - 2 (mod 7). 

Hence, 760 o = 3, so that March 1, 1600, was a Wednesday. When we insert the value of 
<*1600* the formula for d N becomes 

d N = 3 - 2C + 7 + [C/4] + [y/4] (mod 7). 
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We now use this formula to compute the day of the week of the first day of each 
month of year N. To do this, we have to use the number of days of the week that the first 
of the month of a particular month is shifted from the first of the month of the preceding 
month. The months with 30 days shift the first of the following month up 2 days, because 
30 = 2 (mod 7), and those with 3 1 days shift the first of the following month up 3 days, 
because 31 = 3 (mod 7). Therefore, we must add the following amounts: 


from March 1 to April 1: 

3 days 

from April 1 to May 1: 

2 days 

from May 1 to June 1 : 

3 days 

from June 1 to July 1: 

2 days 

from July 1 to August 1: 

3 days 

from August 1 to September 1: 

3 days 

from September 1 to October 1 : 

2 days 

from October 1 to November 1: 

3 days 

from November 1 to December 1 : 

: 2 days 

from December 1 to January 1: 

3 days 

from January 1 to February 1: 

3 days. 

We need a formula that gives us the same increments. Notice that we have 1 1 increments, 
7 of 3 days and 4 of 2 days, totaling 29 days, so that each increment averages 2 .6 days. By 
inspection, we find that the function [2.6m — 0.2] — 2 has exactly the same increments 
as m goes from 2 to 12, and is zero when m = 1. (This formula was originally found 
by Christian Zeller; 1 he apparently found it by trial and error.) Hence, the day of the 
week of the first day of month m of year N is given by the least nonnegative residue of 


d N + [2.6 m — 0.2] — 2 modulo 7. 


To find W, the day of the week of day k of month m of year N, we simply add k — 1 
to the formula we have devised for the day of the week of the first day of the same month. 
We obtain the formula 

W = k + [2.6 m - 0.2] -2C + Y + [7/4] + [C/4] (mod 7). 

We can use this formula to find the day of the week of any date of any year in the 
Gregorian calendar. 


Example 5.9. To find the day of the week of January 1, 1 900, we have C = 1 8, Y = 99, 
m = 11, and k= 1 (because we consider January as the eleventh month of the preceding 
year). Hence, we have W = l + 28-36 + 99 + 24 + 4= l (mod 7), so that January 1, 
1900, was a Monday. ◄ 


1 Christian Julius Johannes Zeller ( 1 849-1 899) was bom in Muhlhausen on the Neckar in Germany. He became 
a priest at Schokingen after completing his theological studies. He served as the principal of a women’s college 
at Markgroningen from 1847 until 1898. He published his formula for the day of the week of a date in 1882. 
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5.2 Exercises 


1. Find the day of the week of the day you were bom, and of your birthday this year. 


2. Find the day of the week of the following important dates in U. S. history (use the Julian 
calendar before September 3, 1752, and the Gregorian calendar from September 14, 1752, to 
the present). 


* a) October 12, 1492 

* b) May 6, 1692 

* c) June 15, 1752 

d) July 4, 1776 

e) March 30, 1867 

f) March 17, 1888 

g) February 15, 1898 

h) July 2, 1925 

i) July 16, 1945 

j) July 20, 1969 

k) August 9, 1974 

l) March 28, 1979 

m) January 1, 1984 

n) December 25, 1991 

o) June 5, 2027 


(Columbus sights land in the Caribbean) 

(Peter Minuit buys Manhattan from the natives) 
(Benjamin Franklin invents the lightning rod) 

(U.S. Declaration of Independence) 

(U.S. buys Alaska from Russia) 

(Great blizzard in the Eastern U.S.) 

(U.S. Battleship Maine blown up in Havana Harbor) 
(Scopes convicted of teaching evolution) 

(First atomic bomb exploded) 

(First man on the moon) 

(President Nixon resigns) 

(Three Mile Island nuclear accident) 

(“Ma Bell” breakup) 

(Demise of the U.S.S.R.) 

(First man on Mars) 


3. How many times will the 13th of the month fall on a Friday in the year 2020? 

4. How many leap years will there be from the year 1 until the year 10,000, inclusive? 

5. To correct the small discrepancy between the number of days in a year of the Gregorian 
calendar and an actual year, it has been suggested that the years exactly divisible by 4000 
should not be leap years. Adjust the formula for the day of the week of a given date to take 
this correction into account. 


6. Show that days with the same calendar date in two different years of the same century, 28, 56, 
or 84 years apart, fall on the identical day of the week. 

7. Which of your birthdays, until your one hundredth, fall on the same day of the week as the 
day you were bom? 

8. What is the next term in the sequence 1995, 1997, 1998, 1999, 2001, 2002, 2003? 

9. What is the next term in the sequence 1700, 1800, 1900, 2100, 2200, 2300? 

10. Show that the number of leap years that occur in any 400 consecutive years is always the 
same and find this number of years. 

11. Show the 13th day of each of two consecutive months is a Friday if and only if these months 
are the February and March of a year for which January 1 falls on a Thursday. 

* 12. A new calendar called the International Fixed Calendar has been proposed. In this calendar, 
„ there are 1 3 months, including all of our present months, plus a new month, called Sol, which 
is placed between June and July. Each month has 28 days, except for the June of leap years, 
which has an extra day (leap years are determined the same way as in the Gregorian calendar). 
There is an extra day, Year End Day, which is not in any month, which we may consider as 
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December 29. Devise a perpetual calendar for the International Fixed Calendar to give the 
day of the week for any calendar date. 

13 . Show that every year in the Gregorian calendar includes at least one Friday the 13th. 

1 4 . Show that for every year of the Gregorian calendar and for every integer k with 1 < fc < 30, as 
the 12 months of the year pass, the kth day of the month falls on all seven days of the week. 

15 . Given a year in the Gregorian calendar, determine on how many different days of the week 
the 3 1st of a month falls. 

16 . Determine the largest possible number of years in a century during which the month of 
February has five Sundays. 

Computations and Explorations 

1. Find the number of times that the thirteenth of a month falls on a Friday for all years between 
1800 and 2300. Can you make and prove a conjecture based on your evidence? 

Programming Projects 

1. Given a date (month, day, and year), determine the day of the week on which it falls. 

2. Given a year, print out a calendar of that year. 

3. Given a year, print out a calendar for the International Fixed Calendar (see Exercise 12) for 
that year. 


5.3 Round-Robin Tournaments 

Congruences can be used to schedule round-robin tournaments. In this section, we show 
how to schedule a tournament for N different teams where every team plays at most one 
match per day, and the tournament lasts N — 1 days, so that each team plays every other 
team exactly once. The method we describe was developed by Freund [Fr56]. 

First, note that if N is odd, not all teams can be scheduled in each round, because 
when teams are paired, the total number of teams playing is even. So, if N is odd, we add 
a dummy team, and if a team is paired with the dummy team during a particular round, 
it draws a bye in that round and does not play. Hence, we can assume that we always 
have an even number of teams, with the addition of a dummy team if necessary. 

We label the N teams with the integers 1, 2, 3, . . . , N — 1, N. We construct a 
schedule, pairing teams in the following way. We have team i, with i ^ N, play team 
j, with j ^ N and j ^ i, in the kth round if i + j =k (mod N — 1). This schedules 
games for all teams in round k, except for team N and the one team i for which 
2 i = k (mod N — 1). There is one such team because Corollary 4.11.1 tells us that the 
congruence 2 x=k (mod N — 1) has exactly one solution with 1 < x < N — 1, because 
(2, N — 1) = 1. We match this team i with team N in the kth round. 

We must now show that each team plays every other team exactly once. We consider 
the first N — 1 teams. Note that team i, where 1 < i < N — 1, plays team N in round k, 
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Round 

Team 

1 

2 

3 

4 

5 

1 

5 

4 

bye 

2 

1 

2 

bye 

5 

4 

3 

2 

3 

2 

1 

5 

bye 

3 

4 

3 

bye 

1 

5 

4 

5 

4 

3 

2 

1 

bye 


Table 5.1 Round-robin schedule for five teams. 


where 2 i = k (mod N — 1), and this happens exactly once. In the other rounds, team i 
does not play the same team twice, for if team i played team j in both rounds k and k', then 
i + j = k (mod N — 1), and i + j = k' (mod N — 1), which is an obvious contradiction 
because k ^ k' (mod N — 1). Hence, because each of the first N — l teams plays N — l 
games, and does not play any team more than once, it plays every team exactly once. 
Also, team N plays N — 1 games, and since every other team plays team N exactly once, 
team N plays every other team exactly once. 


Example 5.10. To schedule a round-robin tournament with five teams, labeled 1, 2, 
3, 4, and 5, we include a dummy team labeled 6. In round one, team 1 plays team j, 
where 1 + 7 = 1 (mod 5). This is the team j = 5 so that team 1 plays team 5. Team 2 is 
scheduled in round one with team 4, since the solution of 2 + 7 = 1 (mod 5) is j = 4. 
Because i = 3 is the solution of the congruence 2 i = 1 (mod 5), team 3 is paired with the 
dummy team 6, and hence draws a bye in the first round. If we continue this procedure 
and finish scheduling the other rounds, we end up with the pairings shown in Table 5.1, 
where the opponent of team i in round k is given in the &th row and ith column. ◄ 


5.3 Exercises 

1. Set up a round-robin tournament schedule for the following, 
a) 7 teams b) 8 teams c) 9 teams d) 10 teams 

2. In round-robin tournament scheduling, we wish to assign a home team and an away team for 
each game so that each of N teams, where N is odd, plays an equal number of home games 
and away games. Show that if, when i + j is odd, we assign the smaller of i and j as die 
home team, whereas if i + j is even, we assign the larger of i and j as the home team, then 
each team plays an equal number of home and away games. 

3. In a round-robin tournament scheduling, use Exercise 2 to determine die home team for each 
game for the following numbers of teams. 


a) 5 teams b) 7 teams c) 9 teams 
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Computations and Explorations 

1. Construct a round-robin schedule for a tournament with 13 teams, specifying a home team 
for each game. 


Programming Projects 

1. Schedule round-robin tournaments for n teams, where n is a positive integer. 

2. Using Exercise 2, schedule round-robin tournaments for n teams, where n is an odd positive 
integer, specifying the home team for each game. 


5.4 Hashing Functions 

A university wishes to store a file in its computer for each of its students. The identifying 
number or key for each file is the social security number of the student. The social 
security number is a nine-digit integer, so it is extremely infeasible to reserve a memory 
location for each possible social security number. Instead, a systematic way to arrange 
the files in memory, using a reasonable number of memory locations, should be used so 
that each file can be easily accessed. Systematic methods of arranging files have been 
developed based on hashing Junctions. A hashing function assigns to the key of each file 
a particular memory location. Various types of hashing functions have been suggested, 
but the type most commonly used involves modular arithmetic. We discuss this type of 
hashing function here; for a general discussion of hashing functions, see Knuth [Kn97] 
or [CoLeRiOl]. 

Let k be the key of the file to be stored; in our example, k is the social security 
number of a student. Let m be a positive integer. We define the hashing function h(k) by 

h(k) = k (mod m), 

where 0 <h(k) < m, so that h(k) is the least positive residue of k modulo m. We wish 
to pick m intelligently, so that the files are distributed in a reasonable way throughout 
the m different memory locations 0, 1, 2, . . . , m — 1. 

The first thing to keep in mind is that m should not be a power of the base b that is 
used to represent the keys. For instance, when using social security numbers as keys, m 
should not be a power of 10, such as 10 3 , because the value of the hashing function would 
simply be the last several digits of the key; this may not distribute the keys uniformly 
throughout the memory locations. For instance, the last three digits of early issued social 
security numbers may often be between 000 and 099, but seldom between 900 and 999. 
Likewise, it is unwise to use a number dividing b k ± a, where k and a are small integers 
for the modulus m . In such a case, h (k) would depend too strongly on the particular digits 
of the key, and different keys with similar, but rearranged, digits may be sent to the same 
memory location. For instance, if m = 111, then, since 1 1 1 1 (10 3 — 1) = 999, we have 
10 3 = 1 (mod 1 1 1), so that the social security numbers 064 212 848 and 064 848 212 are 
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sent to the same memory location, because 

h{ 064 212 848) = 064 212 848 = 064 + 212 + 848 = 1124 = 14 (mod 111) 
and 

h{ 064 848 212) = 064 848 212 = 064 + 848 + 212 = 1124 = 14 (mod 111). 

To avoid such difficulties, m should be a prime that approximates the number 
of available memory locations devoted to file storage. For instance, if there are 5000 
memory locations available for storage of 2000 student files, we could pick m to be 
equal to the prime 4969. 

If the hashing function assigns the same memory location to two different files, 
we say that there is a collision. We need a method to resolve collisions, so that files are 
assigned to unique memory locations. There are two kinds of collision resolution policies. 
In the first kind, when a collision occurs, extra memory locations are linked together to 
the first memory location. When one wishes to access a file where this collision resolution 
policy has been used, it is necessary to first evaluate the hashing function for the particular 
key involved. Then the list linked to this memory location is searched. 

The second kind of collision resolution policy is to look for an open memory location 
when an occupied location is assigned to a file. Various suggestions have been made for 
accomplishing this, such as the following techniques. 

Starting with our original hashing function h 0 (k) =h(k), we define a sequence of 
memory locations hi(k), h 2 (k), .... We first attempt to place the file with key k at 
location h 0 (k). If this location is occupied, we move to location h i(k). If this is occupied, 
we move to location h 2 {k), and so on. 

We can choose the sequence of functions hj (k) in various ways. The simplest way 
is to let 


hj(k) = h(k ) + j (mod m), 0 < hj(k) < m. 

This places the file with key k as near as possible past location h(k). Note that with this 
choice of hj(k), all memory locations are checked, so if there is an open location, it will 
be found. Unfortunately, this simple choice of hj(k) leads to difficulties; files tend to 
cluster. We see that if k± k 2 and h t (&i) = hj(k 2 ) for nonnegative integers i and j, then 
hi +k (k\) = hj +k (k 2 ) for k = 1, 2, 3, ... , so that exactly the same sequence of locations 
is traced out once there is a collision. This lowers the efficiency of the search for files in 
the table. We would like to avoid this problem of clustering, so we choose the function 
hj(k) in a different way. 

To avoid clustering, we use a technique called double hashing. We choose, as before, 
h(k) = k (mod m), 

with 0 < h(k) <m, where m is prime, as the hashing function. We take a second hashing 
function 


g(k) = k + 1 (mod m — 2), 
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where 0 < g(k) < m — 2, so that (g(k), m ) = 1. We take as a probing sequence 
hjik) = h(k) + j ■ g(k) (mod m), 

where 0 < hj(k) < m. Because ( g(k ), m) = 1, as j runs through the integers 0, 1, 2, , 
m — 1, all memory locations are traced out. The ideal situation would be for m — 2 also 
to be prime, so that the values g(k) are distributed in a reasonable way. Hence, we would 
like m —2 and m to be twin primes. 

Example 5.11. In our example using social security numbers, both m = 4969 and 
m — 2 = 4967 are prime. Our probing sequence is 

hj{k) = h(k) + j • g(k) (mod 4969), 

where 0 < hj(k) < 4969, h(k) = k (mod 4969), and g(k) = k + 1 (mod 4967). 

Suppose that we wish to assign memory locations to files for students with the 
following social security numbers: 

k x = 344 401 659 k 6 = 372 500 191 

*2 = 325 5 10 778 k 7 = 034 367 980 

6 3 = 212 228 844 k s = 546 332 190 

6 4 = 329 938 157 k 9 = 509 496 993 

65 = 047 900 151 ^= 132 489 973. 

Because ^ = 269, k 2 = 1526, and k 3 = 2854 (mod 4969), we assign the first three 
files to locations 269, 1526, and 2854, respectively. 

Because k A = 1526 (mod 4969), but memory location 1526 is taken, we compute 
hi(k 4 ) = h(k 4 ) + g(k 4 ) = 1526 + 216 = 1742 (mod 4969); this follows because g(k 4 ) = 
l + k 4 = 216 (mod 4967). 

Because location 1742 is free, we assign the fourth file to this location. The fifth, 
six, seventh, and eighth files go into the available locations 3960, 4075, 2376, and 578, 
respectively, because k 5 = 3960, k 6 = 4075, k 7 = 2376, and = 578 (mod 4969). 

We find that kg = 578 (mod 4969); because location 578 is occupied, we compute 
hi(k 9 ) = h{kg ) + g{kg) = 578 + 2002 = 2580 (mod 4969), where g(kg ) = 1 + kg = 
2002 (mod 4967). Hence, we assign the ninth file to the free location 2580. 

Finally, we find that £ 10 = 1526 (mod 4969), but location 1526 is taken. We com- 
pute /ii(fcio) = h(k w ) + g(ki 0 ) = 1526 + 216 = 1742 (mod 4969), because g(fcio) = 
1 + ^: 10 = 216 (mod 4967), but location 1742 is taken. Hence, we continue by finding 
h 2 (k l0 ) = h(k w ) + 2g(ki 0 ) = 1958 (mod 4969) and in this available location we place 
the tenth file. 

Table 5.2 lists the assignments for the files of students by their social security 
numbers. In the table, the file locations are shown in boldface. ◄ 

We wish to find conditions in which double hashing leads to clustering. Hence, we 
find conditions when 
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Social Security 
Number 

h(k) 

hm 

h 2 (k) 

344 401 659 

269 



325 510 778 

1526 



212 228 844 

2854 



329 938 157 

1526 

1742 


047 900 151 

3960 



372 500 191 

4075 



034 367 980 

2376 



546 332 190 

578 



509 496 993 

578 

2580 


132 489 973 

1526 

1742 

1958 


Table 5.2 Hashing function for student files. 


(5.1) h i (k l )=h j (k 2 ) 
and 

(5.2) h i+l (k l )=h j+l (k 2 ), 

so that the two consecutive terms of two probe sequences agree. If both (5.1) and (5.2) 
occur, then 

(5.3) h(k { ) + ig(k{) = h(k 2 ) + jg(k 2 ) (mod m) 
and 


(5.4) h(k{) + ( i + l)g(^i) = h(k 2 ) + (j + 1 )g(k 2 ) (mod m). 

Subtracting congruence (5.3) from (5.4), we obtain 

g(^) = g(k 2 ) (mod m). 

Because 0 < g(k) < m — 1, the congruence g(ki) = g(k 2 ) (mod m) implies that g(k{) = 
g(k 2 ). Consequently, 


which tells us that 


ki + 1 = k 2 + 1 (mod m — 2), 


ki = k 2 (mod m — 2). 

Because g(k{) = g(k 2 ), we can simplify congruence (5.3) to obtain 
h(k{) = h(k 2 ) (mod m). 


which shows that 


ki = k 2 (modm). 
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Consequently, because (m — 2, m) = 1, Corollary 4.9.1 tells us that 
ki = k 2 (mod m(m — 2)). 

Therefore, the only way that two probing sequences can agree for two consecutive terms 
is if the two keys involved, k\ and k 2 , are congruent modulo m (m — 2). Hence, clustering 
is extremely rare. Indeed, if m(m — 2) > k for all keys k, clustering will never occur. 

5.4 Exercises 

1. A parking lot has 101 parking places. A total of 500 parking stickers are sold and only 50- 
75 vehicles are expected to be parked at any time. Set up a hashing function and collision 
resolution policy for assigning parking places based on license plates displaying six-digit 
numbers. 

2. Assign memory locations for students in your class, using as keys the day of the month of 
birthdays of students, with hashing function h(K) = K (mod 19), and 

a) with probing sequence hj(K) = h(K) + j (mod 19). 

b) with probing sequence hj(K) = h(K ) + j ■ g(K), 0 < j < 16, where g(K) = 1 + 
K (mod 17). 

* 3. Let a hashing function be h(K ) = K (mod m), with 0 < h(K) < m, and let the probing 

sequence for collision resolution be hj(K) = h(K ) + jq (mod m), 0 < hj(K) < m, for 
j = 1 , 2, . . . , m — 1 where m and q are positive integers. Show that all memory locations 
are probed 

a) if m is prime and 1 < q < m — 1. 

b) if m = T and q is odd. 

* 4. A probing sequence for resolving collisions where the hashing function is h (K) = K (modm), 

0 < h(K ) < m, is given by hj{K) = h(K ) + j(2h(K) + 1) (mod m), 0 < hj(K) < m. 

a) Show that if m is prime, then all memory sequences are probed. 

b) Determine conditions for clustering to occur; that is, when /z J (A' 1 ) = hj(K 2 ) and 
h j+AKJ = h j+r (K 2 ) for r = 1,2,.... 

5. Using the hashing function and probing sequence of the example in the text, find open memory 
locations for the files of additional students with social security numbers k n = 137 612 044, 
k n = 505 576 452, k 13 = 157 170 996, k 14 = 131 220 418. (Add these to the ten files already 
stored.) 

Computations and Explorations 

1. Assign memory locations to the files of all the students in your class, using the hashing 
function and probing function from Example 5.11. After doing so, assign memory locations 
to other files with social security numbers that you make up. 

Programming Projects 

In each programming project, assign memory locations to student files, using the hashing func- 
tion h(k) = k (mod 1021), 0 < h(k) < 1021, where the keys are the social security numbers of 
students. 
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1. linking files together when collisions occur. 

2. using hj(k) = h(k) + j(m od 1021), j = 0, 1, 2, ... as the probing sequence. 

3. using hj(k) = h(k) + j -g(k), j = 0,1,2, , where g(k) = 1 + fc(mod 1019), as the prob- 
ing sequence. 


5.5 Check Digits 

Congruences can be used to check for errors in strings of digits. In this section, we will 
discuss error detection for bit strings, which are used to represent computer data. Then 
we will describe how congmences are used to detect errors in strings of decimal digits, 
which are used to identify passports, checks, books, and other types of objects. 

Manipulating or transmitting bit strings can introduce errors. A simple error detec- 
tion method is to append the bit string x\x 2 . . . x n with a parity check bit x n+1 defined 
by 


x n+ i = x x + x 2 -\ V x n (mod 2), 

so that x n+ i = 0 if an even number of the first n bits in the string are 1, whereas x n+x = 1 
if an odd number of these bits are 1. The appended string x x x 2 . . . x n x n+x satisfies the 
congruence 

(5.5) xi + x 2 H 1- x n + x n+i = 0 (mod 2). 

We use this congruence to look for errors. 

Suppose that we send x x x 2 . . . x n x n+h and the string y x y 2 . . . y n y n+ 1 is received. 
These two strings are equal, that is, y,- = x t for i = 1, 2, . . . , n + 1, when there are no 
errors. But if an error was made, they differ in one or more positions. We check whether 

(5.6) y x + y 2 + ■ ■ ■ + y n + y n+1 = 0 (mod 2) 

holds. If this congmence fails, at least one error is present, but if it holds, errors may still 
be present. However, when errors are rare and random, the most common type of error 
is a single error, which is always detected. In general, we can detect an odd number of 
errors, but not an even number of errors (see Exercise 4). 

Example 5.12. Suppose that we receive 1 101 111 and 1 1001000, where the last bit in 
each siring is a parity check bit. For the first siring, note that H-l + 0-|-l-|-l-|-l-|-l = 

0 (mod 2), so that either the received string is what was transmitted or it contains an 
even number of errors. For the second string, note that 1+ 1 + 0 + 0+ l + 0-|-0-|-0 = 

1 (mod 2), so that the received string was not the siring sent; we ask for retransmission. 

◄ 


Strings of decimal digits are used for identification numbers in many different 
contexts. Check digits, computed using a variety of schemes, are used to find errors 
in these strings. For instance, check digits are used to detect errors in passport numbers. 
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In a scheme used by several European countries, if XJ.X2X3X4.X5X5 is the identification 
number of a passport, the check digit x 7 is chosen so that 

x 7 = 7xj + 3x 2 + x 3 + 7x 4 + 3x5 + *6 (mod 10). 

Example 5.13. Suppose that the identification number of apassportis 211894. To find 
the check digit x 7 , we compute 

x 7 = 7- 2 + 3*1+1-1 + 7- 8 + 3*9+1-4 = 5 (mod 10), 

so that the check digit is 5, and the seven-digit number 211 8945 is printed on the passport. 

◄ 

We can always detect a single error in a passport identification number appended 
with a check digit computed in this way. To see this, suppose that we make an error of 
a in a digit; that is, yj =xj + a (mod 10), where x ; - is the correct y'th digit and yj is the 
incorrect digit that replaces it. From the definition of the check digit, it follows that we 
change x 7 by either la, 3a, or a (mod 10), each of which changes x 7 . However, errors 
caused by transposing two digits will be detected if and only if the difference between 
these two digits is not 5 or —5, that is, if they are not digits x, and Xj with | x, — Xj |= 5 
(see Exercise 7). This scheme also detects a large number of possible errors involving 
the scrambling of three digits. 

ISBNs 

(^\ We now turn our attention to the use of check digits in publishing. Until 2007 books 
were identified by their ten-digit International Standard Book Number (ISBN) (ISBN- 
10). For instance, the ISBN-10 for the first edition of this text is 0-201-06561-4. Here the 
first block of digits, 0, represents the language of the book (English), the second block 
of digits, 201, represents the publisher of that edition (Addison- Wesley), the third block 
of digits, 06561, is the number assigned to the title by the publishing company to this 
book, and the final digit, in this case 4, is the check digit. (The sizes of the blocks differ 
for different languages and publishers). The check digit in an ISBN-10 can be used to 
detect the errors most commonly made when ISBNs are copied, namely, single errors 
and errors made when two digits are transposed. 

In 2007, a new thirteen-digit code, ISBN-13, was introduced. ISBN-13 increases the 
number of available codes for books, needed because of the growth both in the number 
of publishers and books published around the world. It also aligns codes for books with 
those for consumer goods. During a transition period, books will have both an ISBN- 
10 and an ISBN- 13 code. The ISBN- 13 code begins with a three-digit prefix, which is 
currently 978 for all books, followed by nine digits now used in ISBN- 10 codes, followed 
by a single check digit. 

ISBN Check Digits 

First, we will describe how the check digit is determined for the ISBN- 10 code of a 
book, and then show that it can be used to detect the commonly occurring types of errors. 
Suppose that the ISBN-10 of a book is xjx 2 . . . x 10 , where x 10 is the check digit. (We 
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ignore the hyphens in the ISBN, because the grouping of digits does not affect how the 
check digit is computed.) The first nine digits are decimal digits, that is, belong to the 
set {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}, whereas the check digit x 10 is a base 11 digit, belonging 
to the set {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, X}, where X is the base 11 digit representing the 
integer 10 (in decimal notation). The check digit is selected so that the congruence 

10 

T! iXi — 0 (mod 1 1) 
i=i 

holds. As is easily seen (see Exercise 10), the check digit x 10 can be computed from 
the congruence jc^ = * x i (mod 1 1); that is, the check digit is the remainder upon 
division by 1 1 of a weighted sum of the first nine digits. 

Example 5.14. We find the check digit for the ISBN of the first edition of this text, 
which begins with 0-201-06561, by computing 

= 1*0 — I— 2*2 -|— 3*0 -|— 4 • H-5*0 + 6*6-l-7*5-l-8*6-l-9*l = 4 (mod 1 1). 

Hence, the ISBN is 0-201-06561-4, as previously stated. Similarly, if the ISBN number 
of a book begins with 3-540-19102, we find the check digit using the congruence 

jt 10 =l-3 + 2- 5 + 3*4 + 4- 0 + 5- l + 6- 9 + 7- l + 8- 0 + 9*2 = 10 (mod 11). 

This means that the check digit is X, the base 1 1 digit for the decimal number 10. Hence, 
the ISBN number is 3-540-19102-X. ◄ 

We will show that a single error, or a transposition of two digits, can be detected 
using the check digit of an ISBN. First, suppose that X\X 2 . . . jc 10 is a valid ISBN, but 
that this number has been printed as y^ 2 . . . y 10 . We know that X^=i * x i = 0 (mod 1 1), 
because X\X 2 . . . x 10 is a valid ISBN. 

Suppose that exactly one error has been made in printing the ISBN. Then, for some 
integer j, we have y* = x t for i ^ j and y j = Xj + a, where — 10 < a < 10 and a ^ 0. 
Here, a = y 7 - — Xj is the error in the 7'th place. Note that 

10 10 

X iy i = X ix i + i a = i a # 0 (mod 11) 

i= 1 i= 1 

because / x t = 0 (mod ll)and,byLemma3.5,itfollowsthatll / ja because 1 1 / j 
and 11 / a. We conclude that y \y 2 . . . yio is not a valid ISBN so that we can investigate 
the error. 

Now suppose that two unequal digits have been transposed; then there are distinct 
integers j and k such that yj = x k and y^ = Xj, and y f = x, if i ^ j and i k. It follows 
that 

10 10 

X iy ‘ = X iXi + (i Xk ~ i x J^ + ( kx J ~ kx ^ = O' “ k )( x k ~ x j) # 0 (mod 11) 

i= 1 i= 1 



Applications of Congruences 


because *'*/ = 0 (mod 11 ), and 11 / (j - k) and 11 / (x k - Xj). We see that 
y\yi • • • Jio is not a valid ISBN so that we can detect the interchange of two unequal 
digits. 

The check digit a 13 for an ISBN -13 code with initial 12 digits a,-, i = 1 , 2 , .... 12 
is determined by the congruence 

a\ + 3 a 2 + 03 + 3#4 + + 3 ag + 017-1- 3 ag + 019 + 3 am + a \\ 

+ 3 a 12 + a 13 = 0 (mod 10). 

Just as for ISBN- 10 , ISBN - 13 detects all single errors, but unlike ISBN- 10 , not all 
transpositions of two digits (see Exercises 21 and 22 ). So, the advantages of adding 
three digits comes with the cost of no longer detecting transposition errors. 

We have discussed how a single check digit can be used to detect errors in strings 
of digits. However, using a single check digit, we cannot detect an error and then correct 
it, that is, replace the digit in error with the valid one. It is possible to detect and correct 
an error using additional digits satisfying certain congruences (see Exercises 24 and 26 , 
for example). The reader is referred to any text on coding theory for more information 
on error detection and correction. Coding theory uses many results from different parts 
of mathematics, including number theory, abstract algebra, combinatorics, and even 
geometry. To find good sources of information, consult Chapter 14 of [Ro 99 a]. We also 
refer the reader to the excellent articles by J. Gallian on check digits, [Ga 92 ], [Ga 91 ], 
and [Ga 96 ], [GaWi88], for related information, including how check digits for drivers 
license numbers are found, and the book [KiOl], entirely devoted to check digits and 
identification numbers. 


Exercises 

1 . What is the parity check bit that should be added to each of the following bit strings? 

a) mill c) 101010 e) 11111111 

b) 000000 d) 100000 f ) 1 100101 1 

2 . Suppose that you receive the following bit strings, where the last bit is a parity check bit. 
Which strings do you know are incorrect? 

a) 111111111 b) 0101010101010 c) 1111010101010101 

3 . Assume that each of the following strings, ending with a parity check bit, was received 

correctly except for a missing bit indicated with a question mark. What is the missing bit? 
a) 1 ?1 1 1 1 1 b) 000710101 c ) 70101010100 

4 . Show that a parity check bit can detect an odd number of errors, but not an even number of 
errors. 

5 . Using the check digit scheme described in the text, find the check digit that should be added 
to the following passport identification numbers. 

a ) 132999 b ) 805237 c ) 645153 

6. Are the following passport identification numbers valid, where the seventh digit is the check 
digit computed as described in the text? 
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a) 3300118 b) 4501824 c) 1873336 

7. Show that the passport check digit scheme described in the text detects transposition of the 
digits x { and x j if and only if | jc f — Xj \ ^ 5. 

8. The bank identification number printed on a check consists of eight digits, x x x 2 . . . jc 8 , 
followed by a ninth check digit, x g , where x g = 7x 1 + 3x 2 + 9x 3 + 7x 4 + 3x 5 + 9x 6 + 7x 7 + 
3x s (mod 10). 

a) What is the check digit following the eight-digit identification number 00185403? 

b) Which single errors in bank identification numbers does a check digit computed in this 
way detect? 

c) Which transpositions of two digits does this scheme detect? 

9. What should the check digit be to complete each of the following ten-digit ISBNs? 

a) 2-113-54001 c) 1-2123-9940 

b) 0-19-081082 d) 0-07-038133 

10. Show that the check digit x l0 in an ISBN- 10 x x x 2 . . . x m can be computed from the congru- 
ence jc 10 = JZLi lJc i ( m °d Hi- 

ll. Determine whether each of the following ISBN- 10 codes is valid. 

a) 0-394-38049-5 c) 0-8218-0123-6 e) 90-6191-705-2 

b) 1-09-231221-3 d) 0-404-50874-X 

12. Suppose that one digit, indicated with a question mark, in each of the following ISBN- 10 
codes has been smudged and cannot be read. What should this missing digit be? 

a) 0-19-8?3804-9 b) 9 1-554-2 12?-6 c) 7-261-05073-X 

13. While copying the ISBN- 10 for a book, a clerk accidentally transposed two digits. If the 
clerk copied the ISBN- 10 as 0-07-289095-0 and did not make any other mistakes, what is the 
correct ISBN- 10 for this book? 

Retail products are often identified by Universal Product Codes (UPCs), the most common of 
which consists of 12 decimal digits. The first digit identifies a product category, the next fi ve the 
manufacturer, the following five the particular product, and the last digit is a check digit. The 
check digit is determined by the following three steps that use the first 1 1 digits of the UPC. 
First, digits in odd-numbered positions, starting from the left, are added, and the resulting sum 
is tripled. Second, the sum of digits in even-numbered positions is added to the result of the first 
step. Third, the check is found by determining which decimal digit, when added to the overall 
result of the second step, produces an integer divisible by 10. 

14. Give a formula using a congruence that produces the check digit for a UPC from the 1 1 digits 
representing the product category, manufacturer, and particular product. 

15. Determine whether each of the following 12-digit strings can be the UPC of a product. 

a) 0 47000 00183 6 c) 0 58000 00127 5 

b) 3 1 1000 01038 9 d) 2 26500 01 179 4 

16. What is the check digit for the 12-digit UPC code that begins with each of the following 
1 1-digit strings? 

a) 3 81370 02918 c) 0 33003 31439 

b) 5 01 175 00557 d) 4 1 1000 01028 
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17. Determine whether the 12-digit UPC code can always detect an error in exactly one digit. 

18. Determine whether the 12-digit UPC code can always detect the transposition of two digits. 

19. Determine whether each of the following ISBN- 13 codes is valid. 

a) 978-0-073-22972-0 c) 978-1-4000-8277-3 e) 978-1-56975-655-3 

b) 978-0-073-10779-1 d) 978-0-43985-654-2 

20. Determine whether each of the following ISBN- 13 codes is valid. 

a) 978-0-06135-328-9 c) 978-1-41697-800-8 e) 978-0-67-002053-9 

b) 978-0-79225-314-3 d) 978-0-45228-521-0 

21. Show that a single error is always detected by the ISBN- 13 code. 

22. Show that there are transpositions of two digits that are not detected by the ISBN-13 code. 

23. Suppose we specify that the valid 10-digit decimal code words x x x 2 ■ ■ ■ * 10 are those satisfying 
the congruence x t = 0 (mod 1 1). 

a) Can we detect all single errors in a code word? 

b) Can we detect transposition of two digits in a code word? 

* 24. Suppose that the only valid 10-digit code words x x x 2 . . . Xi 0 are those satisfying the congru- 

ences X^=i x i = i * x i = 0 (mod 11). 

a) Show that the valid code words, where the first digits are decimal digits, that is, in the 

set {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}, are those where the last two digits satisfy the congruences 
x g = + l)* t - (mod 11) andx 10 = £j =1 (9 - *)*; (mod 11). 

b) Find the number of valid decimal code words. 

c) Show that any single error in a code word can be detected and corrected, because the 
location and value of the error can be determined. 

d) Show that we can detect any error caused by transposing two digits in a code word. 

25. The government of Norway assigns an 11 -digit decimal registration number x x x 2 . . . jc u to 
each of its citizens using a scheme designed by Norwegian number theorist E. Selmer. The 
digits X]X 2 . . . x 6 represent the date of birth, the digits jc 7 je 8 x 9 identify the particular person 
bom that day, and jc 10 and x n are check digits that are computed using the congruences jc 10 = 
8jc x + 4x 2 + 5jc 3 + 10*4 + 3jc 5 + 2x 6 + 7jc 7 + 6x 8 + 9 jc 9 (mod 1 1) and x n = 6x x + lx 2 + 
8jc 3 + 9x 4 + 4x 5 + 5x 6 + 6 x n + 7x 8 + 8 x 9 + 9x l0 (mod 11). 

a) Determine the check digits that follow the first nine digits 110491238. 

b) Show that this scheme detects all single errors in a registration number. 

* c) Which double errors are detected? 

* 26. Suppose that we specify that the valid 10-digit code words x x x 2 . . . jc 10 , where each digit 

is a decimal digit, are those satisfying the congruences jc, = ix t = i 2 x t = 
i 3 Xi = 0 (mod 11). 

a) How many valid 10-digit code words are there? 

b) Show how any two errors in a code word can be corrected. 

c) Suppose a code word has been received as 0204906710. If two errors have been made, 
what is the correct code word? 

Airline tickets carry 15-digit identification numbers a x a 2 . . . a 14 a 15 , where a l5 is a check digit 
that equals the least nonnegative residue of the integer a x a 2 . . . a l4 modulo 7. 
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27 . Find the check digit a 15 that follows each of these initial 14 digits of airplane ticket identifi- 
cation numbers. 

a) 00032781811224 b) 10238544122339 c) 00611133123278 

28 . Determine whether these are valid airline ticket identification numbers. 

a) 102284711033122 b) 004113711331240 c) 100261413001533 

29 . Determine which errors in a single digit can be detected and which cannot be detected using 
the check digit for airline tickets. 

30. Determine which errors involving the transposition of two adjacent digits in the identification 
number of an airline ticket can be detected and which cannot be detected using the check digit 
for airline tickets. 

The International Standard Serial Number (ISSN) used to identify a periodical consists of two 
blocks of four digits, where the last digit in the second block is a base 1 1 check digit. As in an 
ISBN, the character X represents 10 (in decimal notation). The check digit d 8 is determined by 
the congruence d 8 = 3d x + 4 d 2 + 5d 3 + 6 d A + ld 5 + 8 d 6 + 9 d 1 (mod 11). 

31 . For each of the following initial seven digits of an ISSN, determine the correct check digit, 

a) 0317-847 b) 0423-555 c) 1063-669 d) 1363-837 

32 . Is it always possible to detect a single error in an ISSN? That is, is it always possible to detect 
that an error was made when one digit of an ISSN has been copied incorrectly? Justify your 
answer. 

33 . Is it always possible to detect when two consecutive digits in an ISSN have been accidentally 
transposed? Justify your answer. 


Computations and Explorations 

1. Check the ISBN- 10 codes of a selection of books to see whether the check digit was computed 
correctly. 

2. Check the ISBN- 13 codes of a selection of recently published books to see whether the check 
digit was computed correctly. 

Programming Projects 

1. Determine whether a bit string, ending with a parity check bit, has either an odd or an even 
number of errors. 

2. Determine the check digit for an ISBN- 10 code, given the first nine digits. 

3. Determine whether a 10-digit string, where the first nine digits are decimal digits and the last 
is a decimal digit or an X, is a valid ISBN- 10 code. 

4. Determine whether a 12-digit decimal string is a valid UPC. 

5. Determine the check digit for an ISBN- 13 code, given the first 12 digits. 

6. Determine whether a 13-digit string is a valid ISBN-13 code. 



This page intentionally left blank 



Some Special Congruences 


6 


I n this chapter, we discuss three congruences that have both theoretical and practical 
significance: Wilson’s theorem shows that when p is prime, the remainder when 
(p — 1)! is divided by p is — 1. Fermat’s little theorem provides a congruence for the 
pth powers of integers modulo p. In particular, it shows that if p is prime, then a p and a 
have the same remainder when divided by p whenever a is an integer. Euler’s theorem 
provides a generalization of Fermat’s little theorem for moduli that are not prime. 

These three congruences have many applications. For example, we will explain how 
Fermat’s little theorem can be used as the basis for primality tests and factoring algo- 
rithms. We will also discuss composite integers, called pseudoprimes, that masquerade 
as primes by satisfying the same congruence that primes do in Fermat’s little theorem. 
We will use the fact that pseudoprimes are relatively rare to develop some tests that can 
provide overwhelming evidence that an integer is prime. 


6.1 Wilson’s Theorem and Fermat’s Little Theorem 

In a book published in 1770, English mathematician Edward Waring stated that one of 
his students, John Wilson, had discovered that (p — 1)! + 1 is divisible by p whenever 
p is prime. Furthermore, he stated that neither he nor Wilson knew how to prove it. 
Most likely, Wilson made this conjecture based on numerical evidence. For example, we 
can easily see that 2 divides 1! + 1 = 2, 3 divides 2! + 1 = 3, 5 divides 4! + 1 — 25, 7 
divides 6! + 1 = 721, and so on. Although Waring thought it would be difficult to find a 
proof, Joseph Lagrange proved this result in 1771. Nevertheless, the fact that p divides 
(p — 1)! + 1 is known as Wilson’s theorem. We now state this theorem in the form of a 
congruence. 

Theorem 6.1. Wilson’s Theorem. If p is prime, then (p — 1)1 = — 1 (mod p). 

Before proving Wilson’s theorem, we use an example to illustrate the idea behind 
the proof. 

Example 6.1. Let p = 7. We have (7 — 1) ! = 6! = 1 • 2 ■ 3 ■ 4 • 5 • 6. We will rearrange 
the factors in the product, grouping together pairs of inverses modulo 7. We note 
that 2 • 4 = 1 (mod 7) and 3 • 5 = 1 (mod 7). Hence, 6! = 1 • (2 ■ 4) • (3 ■ 5) ■ 6 = 1 • 6 = 
— 1 (mod 7). Thus, we have verified a special case of Wilson’s theorem. ◄ 
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We now use the technique illustrated in the example to prove Wilson’s theorem. 

Proof. When p = 2, we have (p— 1)!= 1= — 1 (mod 2) . Hence, the theorem is true for 
p = 2. Now let p be a prime greater than 2. Using Theorem 4.11, for each integer a with 
1 < a < P — 1 there is an inverse a, 1 < a < p — 1, with aa = 1 (mod p). By Theorem 
4.12, the only positive integers less than p that are their own inverses are 1 and p— 1. 
Therefore, we can group the integers irom 2 to p — 2 into (p - 3)/2 pairs of integers, 
with the product of each pair congruent to 1 modulo p. Hence, we have 

2-3... (p — 3) • (p — 2) = 1 (mod p). 

We multiply both sides of the this congruence by 1 and p — 1 to obtain 

(p — 1)! = 1 • 2 • 3 • • • (p — 3)(p — 2)(p — 1) = 1 * (p — 1) = —1 (mod p). 

This completes the proof. ■ 

An interesting observation is that the converse of Wilson’s theorem is also true, as 
the following theorem shows. 

Theorem 6.2. If n is a positive integer with n > 2 such that (n - 1) ! = - 1 (mod n), 
then n is prime. 

Proof. Assume that n is a composite integer and that (n - 1) ! = — 1 (mod n). Because 
n is composite, we have n = ab, where 1 < a < n and 1 < b < n. Because a < n, we 
know that a | (n — 1) !, because a is one of the n — 1 numbers multiplied together to 
form (n - 1) !. Because (n - 1) ! = - 1 (mod n), it follows that n | ((n — 1)! + 1). This 
means, by Theorem 1.8, that a also divides (n - 1)! + L By Theorem 1.9, because 
a | (n — 1)! and a \ ((n — 1)! 4- 1), we conclude that a | ((n — 1)! + 1) — (n — 1)! = 1. 
This is a contradiction, because a > 1. ■ 


JOSEPH LOUIS LAGRANGE (1736-1813) was bom in Italy and studied 
physics and mathematics at the University of "Birin. Although he originally 
planned to pursue a career in physics, Lagrange’s growing interest in mathemat- 
ics led him to change course. At the age of 19, he was appointed as a mathematics 
professor at the Royal Artillery School in Birin. In 1766, he filled the post Euler 
vacated at the Royal Academy of Berlin when Frederick the Great sought him 
out. Lagrange directed the mathematics section of the Royal Academy for 20 
years. In 1787, when his patron Frederick the Great died, Lagrange moved to 
France at the invitation of Louis XVI, to join the French Academy. In France, he had a distinguished 
career in teaching and writing. He was a favorite of Marie Antoinette, but managed to win the favor of 
the new regime that came into power after the French Revolution. Lagrange’s contributions to mathe- 
matics include unifying the mathematical theory of mechanics. He made fundamental discoveries in 
group theory, and helped put calculus on a rigorous foundation. His contributions to number theory 
include the first proof of Wilson’s theorem, and the result that every positive integer can be written as 
the sum of four squares. 
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Wilson’s theorem can be used to demonstrate that a composite integer is not prime, 
as Example 6.2 shows. 

Example 6.2. Because (6 - 1)! = 5! = 120 = 0 (mod 6), Theorem 6.1 verifies the 
obvious fact that 6 is not prime. ◄ 

As we can see, Wilson’s theorem and its converse give us a primality test. To 
decide whether an integer n is prime, we determine whether (n — 1) ! = — 1 (mod n). 
Unfortunately, this is an impractical test because n — 2 multiplications modulo n are 
needed to find (n — 1)!, requiring 0(n (log 2 n) 2 ) bit operations. 

Fermat made many important discoveries in number theory, including the fact that p 
divides a p ~ 1 — 1 whenever p is prime and a is an integer not divisible by p. He stated this 
result in a letter to one of his mathematical correspondents, Bernard Frenicle de Bessy, 
in 1640. Fermat did not bother to enclose a proof with his letter, staling that he feared that 
a proof would be too long. Unlike Fermat’s notorious last theorem, discussed in Chapter 
13, there is little doubt that Fermat really knew how to prove this theorem (which is called 
“Fermat’s little theorem” to distinguish it from his “last theorem”). Leonhard Euler is 
credited with the first published proof, in 1736. Euler also generalized Fermat’s little 
theorem; we will explain how in Section 6.3. 

Theorem 6.3. Fermat’s Little Theorem. If p is prime and a is an integer with p / a, 
thena^ -1 = 1 (mod p). 

Proof. Consider the p — 1 integers a, 2a, . . . , (p — l)a. None of these integers are 
divisible by p, for if p \ ja, then by Lemma 3.4, p \ j, because p / a. This is impossible, 
because 1 < j < p — 1 . Furthermore, no two of the integers a, 2a, . . . , (p — l)a are 
congruent modulo p. To see this, assume that ja = ka (mod p), where 1 < j < k < 
p — 1. Then, by Corollary 4.5.1, because (a, p) = 1, we have j = k (mod p). This is 
impossible, because j and k are positive integers less than p — 1. 

Because the integers a, 2a, . . . , (p — \)a are a set of p — 1 integers all incongruent 
to 0, and no two are congruent modulo p, by Lemma 4.1 we know that the least 
positive residues of a, 2a, . . . , (p — l)a, taken in some order, must be the integers 
1, 2, . . . , p — 1. As a consequence, the product of the integers a, 2a, . . . , (p — 1 )a 
is congruent modulo p to the product of the first p — 1 positive integers. Hence, 

a • 2a • • • (p — l)a = 1 • 2 • • • (p — 1) (mod p). 


Therefore, 

a p ~\p - 1)1= (p - 1)! (mod p ). 

Because ((p — 1)!, p) = 1, using Corollary 4.5.1, we cancel (p — 1)! to obtain 
a p ~ l — 1 (mod p). 

We illustrate the ideas of the proof with an example. 
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Example 6.3. Let p = l and a = 3. Then, 1-3 = 3 (mod 7), 2 • 3 = 6 (mod 7), 3 • 3 = 

2 (mod 7), 4 • 3 = 5 (mod 7), 5 • 3 = 1 (mod 7), and 6-3 = 4 (mod 7). Consequently, 

(1 • 3) • (2 • 3) • (3 • 3) • (4 • 3) • (5- 3) • (6- 3) = 3 • 6 • 2 • 5 - 1 • 4 (mod 7), 

so that 3 6 -l-2-3-4-5-6 = 3- 6- 2- 5- l- 4 (mod 7). Hence, 3 6 • 6! = 6! (mod 7), and 
therefore 3 6 = 1 (mod 7). ◄ 

Theorem 6.4. If p is prime and a is a positive integer, then a p = a (mod p). 

Proof. If p X a, by Fermat’s little theorem, we know that a p ~ l = 1 (mod p). Multiply- 
ing both sides of this congruence by a, we find that a p = a (mod p). If p \ a, then p \ a p 
as well, so \hdla p = a = 0 (mod p). This finishes the proof, because a p = a (mod p) if 
p fa and if p \ a. m 

Finding the least positive residue of powers of integers is often required in num- 
ber theory and its applications — especially cryptography, as we will see in Chapter 8. 
Fermat’s little theorem is a useful tool in such computations, as the following example 
shows. 

Example 6.4. We can find the least positive residue of 3 201 modulo 1 1 with the help 
of Fermat’s little theorem. We know that 3 10 = 1 (mod 1 1). Hence, 3 201 = (3 10 ) 20 • 3 = 

3 (mod 11). < 

A useful application of Fermat’s little theorem is provided by the following result. 

Theorem 6.5. If p is prime and a is an integer such that p / a, then a p ~ 2 is an inverse 
of a modulo p. 

Proof. If p X a, by Fermat’s little theorem we have a ■ a p ~ 2 = a p ~ l = 1 (mod p). 
Hence, a p ~ 2 is an inverse of a modulo p. m 

Example 6.5. By Theorem 6.5, we know that 2 9 = 5 12 = 6 (mod 1 1) is an inverse of 
2 modulo 11. ◄ 

Theorem 6.5 gives us another way to solve linear congruences with respect to prime 
moduli. 

Corollary 6.5.1. If a and b are positive integers and p is prime with p / a, then 
the solutions of the linear congruence ax = b (mod p) are the integers x such that 
x = a p ~ 2 b (mod p). 

Proof. Suppose that ax =b (mod p). Because p / a, we know from Theorem 6.5 that 
a p ~ 2 is an inverse of a (mod p). Multiplying both sides of the original congruence by 
a p ~ 2 , we have 

a p ~ 2 ax = a p ~ 2 b (mod p). 


Hence, 


x =a p 2 b (mod p). 
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The Pollard p - 1 Factorization Method 

Fermat’s little theorem is the basis of a factorization method invented by J. M. Pollard in 
1974. This method, known as the Pollard p — 1 method, can find a nontrivial factor of an 
integer n when n has a prime factor p such that the primes dividing p — 1 are relatively 
small. 

To see how this method works, suppose that we want to find a factor of the positive 
integer n. Furthermore, suppose that n has a prime factor p such that p — 1 divides 
k\, where A: is a positive integer. We want p — 1 to have only small prime factors, so 
that there is such an integer k that is not too large. For example, if p = 2269, then 
p — 1 = 2268 = 2 2 3 4 7, so that p — 1 divides 9!, but no smaller value of the factorial 
function. 

The reason we want p — 1 to divide k ! is so that we can apply Fermat’s little theorem. 
By Fermat’s little theorem, we know that 2 p ~ l = 1 (mod p). Now, because p — 1 divides 
k\, k\ = (p — l)q for some integer q. Hence, 

2 k[ = 2 {p ~ l)q = (2 p ~ l ) q = l q = l (mod p), 

which implies that p divides 2 kl — 1. Now let M be the least positive residue of 2 k ' — 1 
modulo n, so that M = (2 k ' — 1) — nt for some integer t. We see that p divides M because 
it divides both 2 k[ — 1 and n. 

Now, to find a divisor of n, we need only compute the greatest common divisor of 
M and n, d = ( M , n). This can be done rapidly using the Euclidean algorithm. For this 
divisor d to be a nontrivial divisor, it is necessary that M not be 0. This is the case when 
n does not itself divide 2 k ' — 1, which is likely when n has large prime divisors. 

To use this method, we must compute 2 k[ , where A is a positive integer. This can 
be done efficiently because modular exponentiation can be done efficiently. To find the 
least positive remainder of 2 k ! modulo n, we set r± = 2 and use the following sequence of 
computations: r 2 = r 2 (mod n), r 3 = r\ (mod n), . . . , r k = r k _ x (mod n). We illustrate 
this procedure in the following example. 

Example 6.6. To find 2 9! (mod 5, 157, 437), we perform the following sequence of 
computations: 

r 2 = r 2 = 2 2 = 4 (mod 5, 157,437) 
r 3 = r\ = 4 3 = 64 (mod 5, 157,437) 
r 4 = r 4 = 64 4 = 1,304,905 (mod 5, 157,437) 
r 5 = rl= 1,304,905 s = 404,913 (mod 5, 157,437) 
r 6 = r* =404,913 6 = 2,157,880 (mod 5, 157,437) 
r 7 = r\ = 2,157,880 7 = 4,879,227 (mod 5,157,437) 
r % = r) = 4,879,227 s = 4,379,778 (mod 5, 157,437) 
r g = rj = 4,379,778 9 = 4,381,440 (mod 5, 157,437). 
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It follows that 2 9! = 4, 38 1,440 (mod 5, 157,437). ◄ 

The following example illustrates the use of the Pollard p — 1 method to find a factor 
of the integer 5,157,437. 

Example 6.7. To factor 5, 1 57, 437 using the Pollard p — 1 method, we successively find 
r k , the least positive residue of 2 kl modulo 5,157,437, for k = 1, 2, 3, . . . , as was done in 
Example 6.6. We compute ( r k - 1, 5, 157,437) at each step. To find a factor of 5, 157,437 
requires nine steps, because ( r k — 1, 5, 157,437) = 1 for k = 1, 2, 3, 4, 5, 6, 7, 8 (as the 
reader can verify), but (r 9 - 1, 5, 157,437) = (4,381,439, 5, 157,437) = 2269. It follows 
that 2269 is a divisor of 5, 157,437. ◄ 

The Pollard p — 1 method does not always work. However, because nothing in the 
method depends on the choice of 2 as the base, we can extend the method and find a factor 
for more integers by using integers other than 2 as the base. In practice, the Pollard p — 1 
method is used after trial divisions by small primes, but before the heavy artillery of such 
methods as the quadratic sieve and the elliptic curve method. 


6.1 Exercises 

1. Show that 10! + 1 is divisible by 11, by grouping together pairs of inverses modulo 11 that 
occur in 10!. 

2. Show that 12! + 1 is divisible by 13, by grouping together pairs of inverses modulo 13 that 
occur in 12!. 

3. What is the remainder when 16! is divided by 19? 

4. What is the remainder when 5! 25! is divided by 31? 

5. Using Wilson’s theorem, find the least positive residue of 8 • 9 • 10 • 1 1 • 12 • 13 modulo 7. 

6. What is the remainder when 7 • 8 • 9 • 15 • 16 • 17 • 23 • 24 • 25 • 43 is divided by 11? 

7. What is the remainder when 18 ! is divided by 437? 

8. What is the remainder when 40! is divided by 1763? 

9. What is the remainder when 5 100 is divided by 7? 

10. What is the remainder when 6 2000 is divided by 1 1? 

11. Using Fermat’s little theorem, find the least positive residue of 3 999 - 999 - 999 modulo 7. 

12. Using Fermat’s little theorem, find the least positive residue of 2 1 ’ 000 ’ 000 modulo 17. 

13. Show that 3 10 = 1 (mod ll 2 ). 

14. Using Fermat’s little theorem, find the last digit of the base 7 expansion of 3 100 . 

15. Using Fermat’s little theorem, find the solutions of the following linear congruences, 
a) lx = 12 (mod 17) b) 4x = 1 1 (mod 19) 

16. Show that if n is a composite integer with n ^4, then (n — 1) ! = 0 (mod n). 

17. Show that if p is an odd prime, then 2 (p — 3) ! = — 1 (mod p). 
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18. Show that if n is odd and 3 / n, then n 2 = 1 (mod 24). 

19. Show that a 12 — 1 is divisible by 35 whenever (a, 35) = 1. 

20. Show that a 6 — 1 is divisible by 168 whenever ( a , 42) = 1. 

21. Show that 42 | (n 7 — n) for all positive integers n. 

22. Show that 30 | (n 9 — n) for all positive integers n. 

23. Show that \ p ~ ] + 2 P ~ ] + 3 P ~ X H b (p — l) (p_1) = -1 (mod p) whenever p is prime. (It 

has been conjectured that the converse of this is also true.) 

24. Show that l p + 2 P + 3 P H b (p - l) p = 0 (mod p) when p is an odd prime. 

25. Show that if p is prime and a and b are integers not divisible by p, with a p = b p (mod p), 

then a p =b p (mod p 2 ). 

26. Use the Pollard p — 1 method to find a divisor of 689. 

27. Use the Pollard p — 1 method to find a divisor of 7,331,1 17. (For this exercise, you will need 
to use either a calculator or computational software.) 

28. Show that if p and q are distinct primes, then p q ~ l + q p ~ l = 1 (mod pq). 

29. Show that if p is prime and a is an integer, then p \ (a p + (p — 1) ! a). 

30. Show that if p is an odd prime, then 1 2 3 2 • • • (p — 4) 2 (/> - 2) 2 = (-l) (p+1 - )/2 (mod p). 

31. Show that if p is prime and p = 3 (mod 4), then ((p — l)/2) ! = ±1 (mod p). 

32. a) Let p be prime, and suppose that r is a positive integer less than p such that (— l) r r ! = 

— 1 (mod p). Show that (p — r + 1)! = — 1 (mod p). 
b) Using part (a), show that 61 ! = 63! = — 1 (mod 71). 

33. Using Wilson’s theorem, show that if p is a prime and p = 1 (mod 4), then the congruence 
x 2 = — 1 (mod p) has two incongruent solutions given by jc = ±((p — l)/2) ! (mod p). 

34. Show that if p is a prime and 0 <k < p, then (p - k)l(k — 1)! = (-1)* (mod p). 

35. Show that if n is an integer, then 


7T(n) = 


Ar q -1)1+1 

J 



36. Show that if p is a prime and p > 3, then 2 P ~ 2 + 3 P ~ 2 + 6 P ~ 2 = 1 (mod p). 

37. Show that if n is a nonnegative integer, then 5 | 1" + 2" + 3" + 4" if and only if 4 / n. 

* 38. For which positive integers n is n A + 4" prime? 

39. Show that the pair of positive integers n and n + 2 are twin primes if and only if 4((n — 1) ! + 
1) + n = 0 (mod n(n + 2)), where n^l. 

40. Show that if the positive integers n and n +k, where n > k and k is an even positive integer, 
are both prime, then (&!) 2 ((n — !)!+!) + n(k\ — l)(fc — 1)! = 0 (mod n(n + k)). 


41. Show that if p is prime, then 



= 2 (mod p). 
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Exercise 74 of Section 3.5 shows that if p is prime and A; is a positive integer less than p, 
then the binomial coefficient ^ ^ ^ is divisible by p. Use this fact and the binomial theorem 
to show that if a and b are integers, then ( a + b) p = a p + b p (mod p). 

Prove Fermat’s little theorem by mathematical induction. (Hint: In the induction step, use 
Exercise 42 to obtain a congruence for (a + l) p .) 


Using Exercise 30 of Section 4.3, prove Gauss’s generalization of Wilson’s theorem, namely, 
that the product of all the positive integers less than m that are relatively prime to m is 
congruent to 1 (mod m ), unless m = 4, p { , or 2p { , where p is an odd prime and t is a positive 
integer, in which case it is congruent to — 1 (mod m). 


A deck of cards is shuffled by cutting the deck into two piles of 26 cards. Then, the new deck 
is formed by alternating cards from the two piles, starting with the bottom pile. 

a) Show that if a card begins in the cth position in the deck, it will be in the bth position in 
the new deck, where b = 2c (mod 53) and 1 < b < 52. 

b) Determine the number of shuffles of the type described above that are needed to return 
the deck of cards to its original order. 


46 . Let p be prime and let a be a positive integer not divisible by p. We define the Fermat quotient 
q p (a ) by q p (a ) = (a p ~ l — 1 )/p. Show that if a and b are positive integers not divisible by 
the prime p, then q p (ab ) = q p (a) + q p (b) (mod p). 

47 . Let p be prime and let a h a 2 , . . . , a p and b h b 2 , ■ . ■ , b p be complete systems of residues 
modulo p. Show thata^, a 2 b 2 , . . . , a p b p is not a complete system of residues modulo p. 

* 48 . Show that if n is a positive integer with n > 2, then n does not divide 2” — 1. 


* 49. Let p be an odd prime. Show that (p — l)! p " 1 = — 1 (mod p n ). 


50. Show that if p is a prime with p > 5, then (p — 1) ! + 1 has at least two different prime divisors. 


51 . Show that if a and n are relatively prime integers with n > 1 , then n is prime if and only if 
(jc - a) n and x n - a are congruent modulo n as polynomials. (Recall from the preamble to 
Exercise 48 in Section 4.1 that two polynomials are congruent modulo n as polynomials if 
for each power of jc the coefficients of that power in the polynomials are congruent modulo 
n.) (The proof of Agrawal, Kayal, and Saxena [AgKaSa02] that there is a polynomial-time 
algorithm for determining whether an integer is prime begins with this result.) 


52. Find (n ! + 1, (n + 1) !) when n is a positive integer. 


Computations and Explorations 

1. A Wilson prime is a prime p for which (p — 1) ! = — 1 (mod p 2 ). Find all Wilson primes less 
than 10,000. 

2. Find all primes p less than 10,000 for which 2 P_1 = 1 (mod p 2 ). 

3. Find a factor of each of several different odd integers of your choice using the Pollard p — 1 
method. 

4 . Verify the conjecture that l w_1 + 2" _1 + 3" _1 + • • • + (n — l) (w-1) ^ — 1 (mod n) if n is 
composite, for as many integers n as you can. 
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Programming Projects 

1. Find all Wilson primes less than a given positive integer n. 

2. Find the primes p less than a given positive integer n for which 2 P ~ ] = 1 (mod p 2 ). 

3. Solve linear congruences with prime moduli via Fermat’s little theorem. 

4. Factor a given positive integer n using the Pollard p — 1 method. 


6.2 Pseudoprimes 

Fermat’s little theorem tells us that if n is prime and b is any integer, then b n = b (mod n). 
Consequently, if we can find an integer b such that b n ^b (mod n), then we know that 
n is composite. 

Example 6.8. We can show that 63 is not prime by observing that 

2 63 = 2 60 • 2 3 = (2 6 ) 10 • 2 3 = 64 10 2 3 = 2 3 = 8 ^ 2 (mod 63) . 4 

Using Fermat’s little theorem, we can show that some integers are composite. It 
would be even more useful if it also provided a way to show that an integer is prime. 
It is commonly reported that the ancient Chinese believed that if 2" = 2 (mod n), then 
n must be prime. This statement is true for 1 < n < 340. Unfortunately, the converse of 
Fermat’s little theorem is not true, as the following example, which was discovered by 
Pierre Frederic Samis in 1919, shows. 

Example 6.9. Let n = 341 = 11-31. By Fermat’s little theorem, we see that 2 10 = 
1 (mod 11), so that 2 340 = (2 10 ) 34 = 1 (mod 11). Also, 2 340 = (2 5 ) 68 = (32) 68 = 
1 (mod 31). Hence, by Corollary 4.9.1, we have 2 340 = 1 (mod 341). By multiplying 
both sides of this congruence by 2, we have 2 341 = 2 (mod 341), even though 341 is not 
prime. ◄ 

Examples such as this lead to the following definition. 


A Historical Inaccuracy 

Apparently, the story that the ancient Chinese believed that n is prime if 2" = 2 (mod n) is 
due to a mistaken translation and an error by a nineteenth-century Chinese mathematician. 
In 1897, J. H. Jeans reported that this statement dates “from the time of Confucius,” which 
seems to be the result of an erroneous translation from the book The Nine Chapters of 
Mathematical Art. In 1869, Alexander Wade published an article, “A Chinese theorem,” in 
the journal Notes and. Queries on China, crediting the mathematician Li Shan-Lan (181 1- 
1882) for this “theorem.” Li learned that this result was false, but the error was perpetuated 
by later authors. These historical details come from a letter from Chinese mathematician 
Man-Keung Siu to Paulo Ribenboim (see [Ri96] for more information). 
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Definition. Let b be a positive integer. If n is a composite positive integer and b n = 
b (mod n), then n is called a pseudoprime to the base b. 

Note that if (b, n ) = 1, then the congruence b n =b (mod n) is equivalent to the 
congruence b n ~ 1 = 1 (mod n) . To see this, note that by Corollary 4.5.1 we can divide both 
sides of the first congruence by b, because ( b , n) = 1, to obtain the second congruence. 
By part (iii) of Theorem 4.4, we can multiply both sides of the second congruence by b 
to obtain the first. We will often use this equivalent condition. 

Example 6.10. The integers 34 1 = 1 1 • 3 1, 561 = 3 • 1 1 • 17, and 645 = 3 • 5 • 43 are 
pseudoprimes to the base 2, because it is easily verified that 2 340 = 1 (mod 341), 2 560 = 
1 (mod 561), and 2 M4 = 1 (mod 645). ◄ 

Remark. Pseudoprimes, as defined above, are sometimes called Fermat pseudoprimes. 
This terminology is used to distinguish them from other types of integers that masquerade 
as primes. More generally, the term pseudoprime is used to describe composite integers 
that pass a particular test, or collection of tests, passed by all primes. Later in this 
section, we will discuss strong pseudoprimes, which are Fermat pseudoprimes that pass 
additional tests. In Chapter 11, we will discuss Euler pseudoprimes, another important 
type of pseudoprimes. 

If there are relatively few pseudoprimes to the base b, then checking to see whether 
the congruence b n = b (mod n) holds is a useful test; only a small fraction of composite 
numbers pass this test. In fact, there are far fewer pseudoprimes to the base b not 
exceeding a specified bound than prime numbers not exceeding that bound. In particular, 
there are 455,052,5 1 1 primes, but only 14,884 pseudoprimes to the base 2, less than 10 10 . 
Although pseudoprimes to any given base are rare, there are, nevertheless, infinitely 
many pseudoprimes to any given base. We will prove this for the base 2. The following 
lemma is useful in the proof. 

Lemma 6.1. If d and n are positive integers such that d divides n, then 2 d — 1 divides 
2” - 1. 

Proof. Given that d \ n, there is a positive integer t with dt = n. By setting x = 2 d 
in the identity x { - 1 = (x - l)(jc f— 1 + x l ~ 2 H — • + 1), we find that 2” - 1 = (2 d - 
l)( 2 d(f-t) _|_ 2 d ('-2) + • • • + 2 d + 1). Consequently, we have (2 d — 1) | (2 M - 1). ■ 

We can now prove that there are infinitely many pseudoprimes to the base 2. 

Theorem 6.6. There are infinitely many pseudoprimes to the base 2. 

Proof. We will show that if n is an odd pseudoprime to the base 2, then m = 2" — 1 is 
also an odd pseudoprime to the base 2. Because we have at least one odd pseudoprime 
to the base 2, namely, n 0 = 341, we will be able to construct infinitely many odd 

pseudoprimes to the base 2 by taking n 0 = 341 and n k+1 = 2"* — 1 for k = 0, 1, 2, 3, 

These integers are all different, because n 0 < ^ < n 2 < • • • < n k < n* +1 <•••. 

To continue the proof, let n be an odd pseudoprime to the base 2, so that n is 
composite and 2 n_1 = 1 (mod n). Because n is composite, we have n=dt, with 1 < d < 
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n and 1 < t < n . We will show that m = 2” — 1 is also pseudoprime, by first showing 
that it is composite, and then by showing that 2 m_1 = 1 (mod m). 

To see that m is composite, we use Lemma 6.1 to note that ( 2 d — 1) | (2” — 1) = 
m. To show that 2 m_1 = 1 (mod m), note that because 2” = 2 (mod n), there is an 
integer k with 2” — 2 = kn. Hence, 2 m_1 = 2 2 " -2 = 2 kn . By Lemma 6.1, it follows that 
m = (2" - 1) | (2 kn - 1) = 2 m ~ 1 - 1. Hence, 2 m ~ 1 -1 = 0 (mod m), so that 2 m ~ l = 
1 (mod m) . We conclude that m is also a pseudoprime to the base 2. ■ 

Ifwe want to know whether an integer n is prime, and we find that 2" _1 = 1 (modn), 
we know that n is either prime or a pseudoprime to the base 2. One follow-up approach is 
to test n with other bases. That is, we check to see whether b n ~ l = 1 (mod n ) for various 
positive integers b. If we find any values of b with (b, n) = 1 and b n ~ l # 1 (mod n), then 
we know that n is composite. 

Example 6.1 1. We have seen that 34 1 is a pseudoprime to the base 2. Let us test whether 
341 is also a pseudoprime to the base 7. Because 

7 3 = 343 = 2 (mod 341) 

and 

2 10 = 1024 = 1 (mod 341), 

we have 

7 340 = (7 3 ) 113 7 = 2 113 7 = (2 10 ) 11 ■ 2 3 ■ 7 
= 8-7 = 56# l(mod 341). 

Hence, by the contrapositive of Fermat’s little theorem, we see that 341 is composite, 
because 7 340 # 1 (mod 341). ◄ 

Carmichael Numbers 

Unfortunately, there are composite integers n that cannot be shown to be composite using 
the above approach, because there are integers that are pseudoprimes to every base, that 
is, there are composite integers n such that b n ~ l = 1 (mod n), for all b with (b, n ) = 1. 
This leads to the following definition. 

Definition. A composite integer n that satisfies b n l = 1 (mod n ) for all positive in- 
tegers b with (b, ri) = 1 is called a Carmichael number (after Robert Carmichael, who 
studied them in the early part of the twentieth century) or an absolute pseudoprime. 

Example 6.12. The integer 561 = 3-11-17 is a Carmichael number. To see this, 
note that if ( b , 561) = 1, then (b, 3) = (b, 11) = (b, 17) = 1. Hence, from Fermat’s 
little theorem, we have b 2 = 1 (mod 3), b 10 = 1 (mod 1 1), and b 16 = 1 (mod 17). Conse- 
quently, b 560 = (fc 2 ) 280 = 1 (mod 3), b 560 = (fc 10 ) 56 = 1 (mod 1 1), and fo 560 = ( b l6 ) 35 = 
1 (mod 17). Therefore, by Corollary 4.9.1, b 560 = 1 (mod 561) for all b with (b, n ) = 1. 
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In 1912, Carmichael conjectured that there are infinitely many Carmichael numbers. 
It took 80 years to resolve this conjecture. In 1992, Alford, Granville, and Pomerance 
showed that Carmichael was correct 1 Because of the complicated, nonelementary nature 
of their proof, we will not describe it here. However, we will prove one of the key 
ingredients, a theorem that can be used to find Carmichael numbers. 

Theorem 6.7. If n = q\q 2 . . . where the qj are distinct primes that satisfy (qj — 1) | 

(n — 1) for all j and k > 2, then n is a Carmichael number. 

Proof. Let ft be a positive integer with (ft, n) = 1. Then (ft, qj) = 1 for j = 1, 2, . . . , k, 

and hence, by Fermat’s little theorem, b q i~ l = 1 (mod qj) for j = 1, 2 k. Because 

(qj — 1) | (n — 1) for each integer j = 1, 2, ... , k, there are integers tj with tj (qj — 1) = 
n — 1. Hence, for each j, we know that ft” -1 = ft^ -1 ty = 1 (mod qj). Therefore, by 
Corollary 4.9.1, we see that ft" -1 = 1 (mod n), and we conclude that n is a Carmichael 
number. ■ 

Example 6.13. Theorem 6.7 shows that 6601 = 7 • 23 • 41 is a Carmichael number, 
because 7, 23, and 41 are all prime, 6 = (7 — 1) | 6600, 22 = (23 — 1) | 6600, and 40 = 
(41 - 1) | 6600. ◄ 

The converse of Theorem 6.7 is also true, that is, all Carmichael numbers are of the 
form qiq 2 • qk, where the qj are distinct primes and (qj - 1) | (n — 1) for all j. We 
will prove this fact in Chapter 9. 

By the way, it has been shown that although there are only 43 Carmichael numbers 
not exceeding 10 6 , there are 105,212 of them not exceeding 10 15 . 

Miller’s Test 

Once the congruence ft" -1 = 1 (mod n), where n is an odd integer, has been verified, 
another possible approach is to consider the least positive residue of ft( n-1 )/2 mo dulo 
n. We note that if x = ft( n-1 )/ 2 , then x 2 = ft" -1 = 1 (mod n). If n is prime, by Theorem 


*111 particular, they showed that C(x), the number of Carmichael numbers not exceeding x, satisfies the 
inequality C(x) > x 2 ^ for sufficiently large numbers x. 


ROBERT DANIEL CARMICHAEL (1879-1967) was bora in Goodwater, 
Alabama. He received his B. A. from Lioeville College in 1 898 and his Ph.D. in 
y ^ S 191 1 from Princeton University. Carmichael taught at Indiana University from 

K 1911 to 1915, and at the University of Illinois from 1915 until 1947. His thesis, 

k — . written under the direction of G. D. Birkhoff, was considered the first significant 

American contribution to differential equations. Carmichael worked in a wide 
HL range of areas, including real analysis, differential equations, mathematical 

i physics, group theory, and number theory. 
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4. 12 we know that either jc = 1 or x = — 1 (mod n). Consequently, once we have found 
that b n X = 1 (modn), we can check to see whether &( n_1 )/ 2 = ±1 (modn). If this 
congruence does not hold, then we know that n is composite. 

Example 6.14. Let b = 5 and let n = 561, the smallest Carmichael number. We find 
that 5 (561_ W 2 = 5 280 = 67 (mod 5 61) . Hence, 56 1 is composite. ◄ 

To continue developing primality tests, we need the following definitions. 

Definition. Let n be an integer with n > 2 and n — 1 = 2 s t, where s is a nonnegative 
integer and t is an odd positive integer. We say that n passes Miller’s test for the base b 
if either b* = 1 (mod n) or b Vt = — 1 (mod n) for some j with 0< j <s — 1. 

The following example shows that 2047 passes Miller’s test for the base 2. 

Example 6.15. Let n = 2047 = 23 • 89. Then 2 2046 = (2 11 ) 186 = (2048) 186 = 
1 (mod 2047), so that 2047 is a pseudoprime to the base 2. Because 2 2046/2 = 2 1023 = 
(2 11 ) 93 = (2048) 93 = 1 (mod 2047), 2047 passes Miller’s test for the base 2. ◄ 

We now show that if n is prime, then n passes Miller’s test for all bases b with n / b. 

Theorem 6.8. If n is prime and b is a positive integer with n / b, then n passes Miller’s 
test for the base b. 

Proof. Let n — 1 = 2 s t, where s is a nonnegative integer and t is an odd positive 
integer. Let x k = = b 2 * for k = 0, 1, 2, ... , s. Because n is prime, Fer- 

mat’s little theorem tells us that x 0 = b n ~ l = 1 (mod n). By Theorem 4.12, because 
x 2 — (fc( n_1 )/ 2 ) 2 = x 0 = 1 (mod n), either jq = — 1 (mod n) or jq = 1 (mod n). If jq = 
1 (mod n), because x\ = Xi = 1 (mod n), either x 2 = — 1 (mod n) or x 2 = 1 (mod n). 
In general, if we have found that x 0 = xq = x 2 = • • • = x k = 1 (mod n), with k < s, 
then, because x^ +1 = x k = 1 (mod n), we know that either jc^ + 1 = — 1 (mod n) or x k+l = 
1 (modn). 

Continuing this procedure for k = 1, 2, . . . , s, we find that either x s = 1 (mod n) or 
x k = —1 (mod n) for some integer k, with 0 < k < s. Hence, n passes Miller’s test for 
the base b. m 

If the positive integer n passes Miller’s test for the base b, then either b { = 1 (mod n) 
or b Vt = — 1 (mod n) for some j with 0 < j < s — 1, where n — 1 = 2 s t and t is odd. 

In either case, we have b n ~ l = 1 (mod n), because b n X = (b 2Jt ) 2S 1 for j = 
0, 1, 2, . . . , s, so that a composite integer n that passes Miller’s test for the base b 
is automatically a pseudoprime to the base b. With this observation, we are led to the 
following definition. 

Definition. If n is composite and passes Miller’s test for the base b, then we say n is a 
strong pseudoprime to the base b. 
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Example 6.16. By Example 6.15, we see that 2047 is a strong pseudoprime to the 
base 2. ◄ 

Although strong pseudoprimes are exceedingly rare, there are still infinitely many 
of them. We demonstrate this for the base 2 with the following theorem. 

Theorem 6.9. There are infinitely many strong pseudoprimes to the base 2. 

Proof. We shall show that if n is a pseudoprime to the base 2, then N = 2” — 1 is a 
strong pseudoprime to the base 2. 

Let n be an odd integer that is a pseudoprime to the base 2. Hence, n is composite, 
and 2” _1 = 1 (mod n). From this congruence, we see that 2” _1 — 1 = nk for some integer 
k; furthermore, k must be odd. We have 

iV-l = 2 n -2 = 2(2” _1 - 1) = 2 l nk; 
this is the factorization of N - 1 into an odd integer and a power of 2. 

We now note that 

2 (W-l)/2 = 2 n* = ( 2 »)t = 1 ( mod JV), 

because 2” = (2” — 1) + 1 = N + 1 = 1 (mod N ). This demonstrates that N passes 
Miller’s test. 

In the proof of Lemma 6.1, we showed that if n is composite, then N = 2” — 1 
also is composite. Hence, N passes Miller’s test and is composite, so that N is a strong 
pseudoprime to the base 2. Because every pseudoprime n to the base 2 yields a strong 
pseudoprime 2” — 1 to the base 2, and because there are infinitely many pseudoprimes to 
the base 2, we conclude that there are infinitely many strong pseudoprimes to the base 2. 

■ 

The following observations are useful in combination with Miller’s test for checking 
the primality of relatively small integers. The smallest odd strong pseudoprime to the base 
2 is 2047, so that if n < 2047, n is odd, and n passes Miller’s test to the base 2, then n 
is prime. Likewise, 1,373,653 is the smallest odd strong pseudoprime to both the bases 
2 and 3, giving us a primality test for integers less than 1,373,653. The smallest odd 
strong pseudoprime to the bases 2, 3, and 5 is 25,326,001, and the smallest odd strong 
pseudoprime to all the bases 2, 3, 5, and 7 is 3,215,031,751. Furthermore, there are no 
other strong pseudoprimes to all these bases that are less than 25 • 10 9 . (The reader should 
verify these statements.) This leads us to a primality test for integers less than 25 • 10 9 . 
An odd integer n is prime if n < 25 • 10 9 , n passes Miller’s test for the bases 2, 3, 5, and 
7, and n ^ 3,215,031,751. 

Computations show that there are only 101 integers less than 10 12 that are strong 
pseudoprimes to the bases 2, 3, and 5 simultaneously. Only 9 of these are also strong 
pseudoprimes to the base 7, and none of these is a strong pseudoprime to the base 
11. The smallest strong pseudoprime to the bases 2, 3, 5, 7, and 11 simultaneously is 
2,152,302,898,747. Therefore, if an odd integer n is prime and n < 2,152,302,898,747, 
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then n is prime if it passes Miller’s test for the bases 2, 3, 5, 7, and 11. If we want to 
test even bigger integers for primality in this way, we can use the observation that no 
positive integer less than 341,550,071,728,321 is a strong pseudoprime to the bases 2, 
3, 5, 7, 11, 13, and 17. A positive odd integer not exceeding this number is prime if it 
passes Miller’s test for the seven primes, 2, 3, 5, 7, 11, 13, and 17. 

There is no analogue to a Carmichael number for strong pseudoprimes. This is a 
consequence of the following theorem. 

Theorem 6.10. If n is an odd composite positive integer, then n passes Miller’s test for 
at most ( n — l)/4 bases b with 1 < b < n — 1. 

We prove Theorem 6.10 in Chapter 9. Note that Theorem 6.10 tells us that if n 
passes Miller’s tests for more than (n — l)/4 bases less than n, then n must be prime. 
However, this is a rather lengthy way to show that a positive integer n is prime, worse 
than performing trial divisions. Miller’s test does give an interesting and quick way of 
showing that an integer n is “probably prime.” To see this, take at random an integer b 
with 1 < b < n — 1 (we will see how to make this “random” choice in Chapter 10). From 
Theorem 6. 10, we see that if n is composite, the probability that n passes Miller’s test for 
the base b is less than 1/4. If we pick k different bases less than n and perform Miller’s 
tests for each of these bases, we are led to the following result. 

Theorem 6.1 1. Rabin ’s Probabilistic Primality Test Let n be a positive integer. Pick 
k different positive integers less than n and perform Miller’s test on n for each of these 
bases. If n is composite, the probability that n passes all k tests is less than (1/4)*. 

Let n be a composite positive integer. Using Rabin’s probabilistic primality test, if 
we pick 100 different integers at random between 1 and n and perform Miller’s test for 
each of these 100 bases, then the probability that n passes all the tests is less than 10 -60 , 
an extremely small number. In fact, it may be more likely that a computer error was made 
than that a composite integer passes all 100 tests. Using Rabin’s primality test does not 
definitely prove that an integer n that passes some large number of tests is prime, but 
it does give extremely strong, indeed almost overwhelming, evidence that the integer is 
prime. 

There is a famous conjecture in analytic number theory called the generalized 
Riemann hypothesis, which is a statement about the famous Riemann zeta function, 
named after the German mathematician Georg Friedrich Bernhard Riemann, which is 
discussed in Section 3.2. The following conjecture due to Eric Bach is a consequence of 
this hypothesis. 

Conjecture 6.1. For every composite positive integer n, there is a base b, with b < 
2(log n) 2 , such that n fails Miller’s test for the base b. m 

If this conjecture is true, as many number theorists believe, the following result 
provides a rapid primality test. 
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Theorem 6.12. If the generalized Riemann hypothesis is valid, then there is an algo- 
rithm to determine whether a positive integer n is prime using O ((log 2 n) 5 ) bit operations. 

Proof. Let b be a positive integer less than n. To perform Miller’s test for the base b on n 
takes O ((log 2 n) 3 ) bit operations, because this test requires that we perform no more than 
log 2 n modular exponentiations, each using O ((log 2 b) 2 ) bit operations. Assume that the 
generalized Riemann hypothesis is true. If n is composite, then by Conjecture 6.1, there 
is a base b with 1 < b < 2(log 2 n) 2 such that n fails Miller’s test for b. Ib discover this 
b requires less than 0((log 2 n) 3 ) • 0((log 2 n) 2 ) = 0((log 2 n) 5 ) bit operations. Hence, 
using 0((log 2 n) 5 ) bit operations, we can determine whether n is composite or prime. 


The important point about Rabin’s probabilistic primality test and Theorem 6.12 
is that both results indicate that it is possible to check an integer n for primality using 
only 0((log 2 n)*) bit operations, where k is a positive integer. (Also, the recent result of 
Agrawal, Kayal, and Saxena [AgKaSa02] shows that there is a deterministic test using 
O ((log 2 n)*) bit operations.) This contrasts strongly with the problem of factoring. 
The best algorithm known for factoring an integer requires a number of bit operations 
exponential in the square root of the logarithm of the number of bits in the integer being 
factored, whereas primality testing seems to require only a number of bit operations 
less than a polynomial in the number of bits of the integer tested. We capitalize on this 
difference by presenting a recently invented cipher system in Chapter 8. 


6.2 Exercises 

1. Show that 91 is a pseudoprime to the base 3. 

2. Show that 45 is a pseudoprime to the bases 17 and 19. 

3. Show that the even integer n = 161,038 = 2-73-1103 satisfies the congruence 2" = 
2 (mod n). The integer 161,038 is the smallest even pseudoprime to the base 2. 

4. Show that every odd composite integer is a pseudoprime to both the base 1 and the base - 1. 


GEORG FRIEDRICH BERNHARD RIEMANN (1826-1866), the son of a 
minister, was bom in Breselenz, Germany. His elementary education c ame from 
his father. After completing his secondary education, he entered Gottingen Uni- 
versity to study theology. However, he also attended lectures on mathematics. 
After receiving the approval of his father to concentrate on mathematics, Rie- 
mann transfered to Berlin University, where he studied under several prominent 
mathematicians, including Dirichlet and Jacobi. He subsequently returned to 
Gottingen, where he obtained his Ph.D. 

Riemann was one of the most imaginative and creative mathematicians of all time. He made 
fundamental contributions to geometry, mathematical physics, and analysis. He wrote only one paper 
on number theory, which was eight pages long, but this paper has had tremendous impact Riemann 
died of tuberculosis at the early age of 39. 
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5. Show that if n is an odd composite integer and n is a pseudoprime to the base a, then n is a 
pseudoprime to the base n — a. 

* 6. Show that if n = (a 2p — 1)/ (a 2 — 1), where a is an integer, a > 1, and p is an odd prime not 

dividing a (a 2 - 1), then n is a pseudoprime to the base a. Conclude that there are infinitely 
many pseudoprimes to any base a. (Hint: To establish that a n ~ l = 1 (mod n), show that 
2p | (n — 1), and demonstrate that a 2p = 1 (mod n).) 

7. Show that every composite Fermat number F m = 2 2 ” 1 + 1 is a pseudoprime to the base 2. 

8. Show that if p is prime and 2 P — 1 is composite, then 2 P — 1 is a pseudoprime to the base 2. 

9. Show that if n is a pseudoprime to the bases a and b, then n is also a pseudoprime to the base 
ab. 

10. Suppose that a and n are relatively prime positive integers. Show that if n is a pseudoprime 
to the base a, then n is a pseudoprime to the base a, where a is an inverse of a modulo n. 

11. Show that if n is a pseudoprime to the base a, but not a pseudoprime to the base b, where 
(a, n ) = (b, n) = 1, then n is not a pseudoprime to the base ab. 

12. Show that 25 is a strong pseudoprime to the base 7. 

13. Show that 1387 is a pseudoprime, but not a strong pseudoprime, to the base 2. 

14. Show that 1,373,653 is a strong pseudoprime to both bases 2 and 3. 

15. Show that 25,326,001 is a strong pseudoprime to bases 2, 3, and 5. 

16. Show that the following integers are Carmichael numbers. 

a) 2821 =7-13-31 e) 278,545 = 5-17-29-113 

b) 10,585 = 5-29-73 f) 172,081 = 7-13-31-61 

c) 29,341 = 13-37-61 g) 564,651,361 = 43 • 3361 • 3907 

d) 314,821 = 13 • 61 • 397 

17. Find a Carmichael number of the form 7 • 23 • q, where q is an odd prime other than q = 41, 
or show that there are no others. 

18. a) Show that every integer of the form (6m + l)(12m + l)(18m + 1), where m is a positive 

integer such that 6m + 1, 12m + 1, and 18m + 1 are all primes, is a Carmichael number, 
b) Conclude from part (a) that 1729 = 7-13-19; 294,409 = 37 • 73 • 109; 56,052,361 = 
211 • 421 • 631; 118,901,521 = 271 • 541 • 811; and 172,947,529 = 307 • 613 • 919 are 
Carmichael numbers. 

19. The smallest Carmichael number with six prime factors is 5 • 19 • 23 • 29 • 37 • 137 = 321, 
197,185. Verify that this number is a Carmichael number. 

* 20. Show that if n is a Carmichael number, then n is square-free. 

21. Show that if n is a positive integer with n = 3 (mod 4), then Miller’s test takes 0((log 2 n) 3 ) 
bit operations. 

Computations and Explorations 

1. Determine for which positive integers n, n < 100, the integer n • 2 n - 1 is prime. 

2. Find as many Carmichael numbers of the form (6m + l)(12m + l)(18m + 1), where 6m + 1, 
12m + 1, and 18m + 1 are all prime, as you can. 
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3. Find as many even pseudoprimes to the base 2 that are the product of three primes as you 
can. Do you think that there are infinitely many? 

4. The integers of the form n • 2" + 1, where n is a positive integer greater than 1, are called 
Cullen numbers. Can you find a prime Cullen number? 

Programming Projects 

1. Given a positive integer n, determine whether n satisfies the congruence b n ~ 1 = 1 (mod n ), 
where b is a positive integer less than n; if it does, then n is either a prime or a pseudoprime 
to the base b. 

2. Given a positive integer n, determine whether n passes Miller’s test to the base b; if it does, 
then n is either prime or a strong pseudoprime to the base b. 

3. Perform a primality test for integers less than 25 • 10 9 based on Miller’s test for the bases 
2, 3, 5, and 7. (Use the remarks that follow Theorem 6.9.) 

4. Perform a primality test for integers less than 2,152,302,898,747 based on Miller’s test for 
the bases 2, 3, 5, 7, and 11. (Use the remarks that follow Theorem 6.9.) 

5. Perform a primality test for integers less than 341,550,071,728,321 based on Miller’s test for 
the bases 2, 3, 5, 7, 11, 13, and 17. (Use the remarks that follow Theorem 6.9.) 

6. Given an odd positive integer n, determine whether n passes Rabin’s probabilistic primality 
test. 

7. Given a positive integer n, find all Carmichael numbers < n. 


6.3 Euler’s Theorem 

Fermat’s little theorem tells us how to work with certain congruences involving exponents 
when the modulus is a prime. How do we work with the corresponding congruences 
modulo a composite integer? 

For this purpose, we would like to establish a congruence analogous to that provided 
by Fermat’s little theorem for composite integers. As mentioned in Section 6.1, the great 
Swiss mathematician Leonhard Euler published a proof of Fermat’s little theorem in 
1736. In 1760, Euler managed to find a natural generalization of the congruence in 
Fermat’s little theorem that holds for composite integers. Before introducing this result, 
we need to define a special counting function (introduced by Euler) used in the theorem. 

Definition. Let n be a positive integer. The Euler phi-function <f> ( n ) is defined to be 
the number of positive integers not exceeding n that are relatively prime to n. 

In Table 6.1, we display the values of (f>(n) for 1 < n < 12. The values of (f>{n) for 
1 < n < 100 are given in Table 2 of Appendix E. 

In Chapter 7, we study the Euler phi -function further. In this section, we use the phi- 
function to give an analogue of Fermat’s little theorem for composite moduli. To do this, 
we need to lay some groundwork. 
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n 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

0(«) 

1 

1 

2 

2 

4 

2 

6 

4 

6 

4 

10 

4 


Table 6.1 The values of Euler's phi-function for 1 < n < 12. 


Definition. A reduced residue system modulo n is a set of <f> (n) integers such that each 
element of the set is relatively prime to n, and no two different elements of the set are 
congruent modulo n. 

Example 6.17. The set {1, 3, 5, 7} is a reduced residue system modulo 8. The set 
{-3, — 1, 1, 3} is also such a set. ◄ 

We will need the following theorem about reduced residue systems. 

Theorem 6.13. If r lt r 2 , , r^ n ) is a reduced residue system modulo n, and if a is 

a positive integer with (a, n ) = 1, then the set ar h ar 2 , .... a r ^{ n ) is also a reduced 
residue system modulo n. 

Proof. Tb show that each integer arj is relatively prime to n , we assume that ( arj , n) > 
1. Then, there is a prime divisor p of (arj, n). Hence, either p\aorp \ rj. Thus, we have 
either p \ a and p \ n, or p \ rj and p\n. However, we cannot have both p \ rj and p \ n, 
because rj is a member of a reduced residue system modulo n, and both p \ a and p \ n 


LEONHARD EULER (1707-1783) was the son of a minister from the vicinity 
of Basel, Switzerland, who, besides theology, had also studied mathematics. At 
13, Euler entered the University of Basel with the aim of pursuing a career in 
theology, as his father wished. At the university, Euler was tutored in mathemat- 
ics by Johann Bernoulli, of the famous Bernoulli family of mathematicians, and 
became friends with Johann’s sons Nicklaus and Daniel. His interest in math- 
ematics led him to abandon his plans to follow in his father’s footsteps. Euler 
obtained his master’s degree in philosophy at the age of 16. In 1727, Peter the 
Great invited Euler to join the Imperial Academy in St. Petersburg, at the insistence of Nicklaus and 
Daniel Bernoulli, who had entered the academy in 1725 when it was founded. Euler spent the years 
1727-1741 and 1766-1783 at the Imperial Academy. He spent the interval 1741-1766 at the Royal 
Academy of Berlin. Euler was incredibly prolific; he wrote more than 700 books and papers, and he 
left so much unpublished work that the Imperial Academy did not finish publication of Euler’s work 
for 47 years after his death. During his life, his papers accumulated so rapidly that he lrept a pile of 
papers to be published for the academy. They published the top papers in the pile first, so that later 
results were published before results they superseded or depended on. Euler was blind for the last 
17 years of his life, but had a fantastic memory, so that his blindness did not deter his mathematical 
output. He also had 13 children, and was able to continue his research while a child or two bounced 
on his knees. The publication of the collected works and letters of Euler, the Opera Omnia, by the 
Swiss Academy of Science will require more than 85 large volumes, of which 76 have already been 
published (as of late 1999). 
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cannot hold because (a, n) = 1. Hence, we can conclude that arj and n are relatively 
prime for j = 1 , 2, , 0(n). 

To demonstrate that no two ar j are congruent modulo n, we assume that arj = 
ar k (mod n), where j and k are distinct positive integers with 1 < j < 0(n) and 1 < 
k < 0(n). Because (a, n) = 1, by Corollary 4.5.1 we see that = r*. (mod n). This is a 
contradiction, because r j and r k come from the original set of reduced residues modulo 
n, so that rj ^ r k (mod n). u 

We illustrate the use of Theorem 6.13 with an example. 

Example 6.18. The set 1, 3, 5, 7 is a reduced residue system modulo 8. Because 
(3, 8) = 1, from Theorem 6.13, the set 3 • 1 = 3, 3 • 3 = 9, 3 • 5 = 15, 3 • 7 = 21 is also a 
reduced residue system modulo 8. ◄ 

We now state Euler’s theorem. 

Theorem 6.14. Euler’s Theorem. If m is a positive integer and a is an integer with 
{a, m) = 1, then = 1 (mod m). 

Before we prove Euler’s theorem, we illustrate the idea behind the proof with an 
example. 

Example 6.19. We know that both the sets 1, 3, 5, 7 and 3 • 1, 3 • 3, 3 • 5, 3 • 7 are 
reduced residue systems modulo 8. Hence, they have the same least positive residues 
modulo 8. Therefore, 


(3 • 1) • (3 • 3) • (3 • 5) • (3 • 7) = 1 • 3 • 5 • 7 (mod 8), 


and 


3 4 -l-3-5-7 = l- 3- 5- 7 (mod 8). 

Because (1 • 3 • 5 • 7, 8) = 1, we conclude that 

3 4 = 3 0( 8 ) = \ ( mod 8). ◄ 


We now use the ideas illustrated by this example to prove Euler’s theorem. 

Proof. Let r h r 2 , ■ ■ ■ , ^( m ) denote the reduced residue system made up of the pos- 
itive integers not exceeding m that are relatively prime to m. By Theorem 6.13, be- 
cause (a, m) = 1 , the set ar h ar 2 , . . . , is also a reduced residue system mod- 

ulo m. Hence, the least positive residues of ar h ar 2 , . . . , ar must be the integers 
r h r 2 , in some order. Consequently, if we multiply together all terms in each 
of these reduced residue systems, we obtain 

ar x ar 2 ■ ■ ■ ar 0(m) = r x r 2 • • • r 0(m) (mod m). 

Thus, 

a^r x r 2 • • • r 0(m) = r x r 2 ■ • • r 0(m) (mod m). 
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Because (r x r 2 ■ ■ ■ m) = 1, from Corollary 4.5.1, we can conclude that a^^ m) = 
l(mod/n). ■ 

We can use Euler’s theorem to find inverses modulo m. If a and m are relatively 
prime, we know that 

a ■ = a Hm) = 1 (mod m). 

Hence, is an inverse of a modulo m. 

Example 6.20. We know that 2^ (9)_1 = 2 6-1 = 2 5 = 32 = 5 (mod 9) is an inverse of 
2 modulo 9. ◄ 

We can solve linear congruences using this observation. To solve ax =b (mod m), 
where (a, m) = 1, we multiply both sides of this congruence by ^"O -1 to obtain 

a^ m) ~ l ax =a^ m) ~ l b (mod m). 

Therefore, the solutions are those integers x such that x = a^( m ) _1 & (mod m). 

Example 6.21. The solutions of 3x = 7 (mod 10) are given by x = 3^ (10 ^ _1 • 7 = 
3 3 ■ 7 = 9 (mod 10), because 0(10) = 4. ◄ 

.3 Exercises 

1. Find a reduced residue system modulo each of the following integers, 
a) 6 b) 9 c) 10 d) 14 e) 16 f) 17 

2. Find a reduced residue system modulo 2 m , where m is a positive integer. 

3. Show that if c x , c 2 , is a reduced residue system modulo m, where m is a positive 

integer with m / 2, then c l + c 2 -\ b c^( m ) = 0 (mod m). 

4. Show that if a and m are positive integers with (a, m) — (a — 1, m ) = 1, then 1 + a + a 2 + 
. . . + a^( m ) - i = 0 (mod m). 

5. Find the last digit of the decimal expansion of 3 1000 . 

6. Find the last digit of the decimal expansion of 7 " 9 - 999 . 

7. Use Euler’s theorem to find the least positive residue of 3 100 - 000 modulo 35. 

8. Show that if a is an integer such that a is not divisible by 3 or such that a is divisible by 9, 
then a 1 = a (mod 63). 

9. Show that if a is an integer relatively prime to 32,760, then a 12 = 1 (mod 32,760). 

10. Show that = 1 (mod ab), if a and b are relatively prime positive integers. 

11. Solve each of the following linear congruences using Euler’s theorem, 
a) 5x = 3 (mod 14) b) 4x = 7 (mod 15) c) 3x = 5 (mod 16) 

12. Solve each of the following linear congruences using Euler’s theorem, 
a) 3* = 1 1 (mod 20) b) \0x = 19 (mod 21) c) 8x = 13 (mod 22) 

13. Suppose that n — p x p 2 • • • p k where p h p 2 , . . . , p* are distinct odd primes. Show that 

a <Kn)+l — a ( m(x j n y 
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14. Show that the solutions to the simultaneous system of congruences 

x = oj (mod mj) 
x =a 2 (mod m 2 ) 

x =a r (mod m r ), 

where the ntj are pairwise relatively prime, are given by 

x = a x Mf (mi) + a 2 M^ m2) H h a r Mf ( - m ^ (mod M), 

where M = m l m 2 ■ ■ ■ m r and Mj = M/rrij for j = 1, 2, . . . , r. 

15. Use Exercise 14 to solve each of the systems of congruences in Exercise 4 of Section 4.3. 

16. Use Exercise 14 to solve the system of congruences in Exercise 5 of Section 4.3. 

17. Use Euler’s theorem to find the last digit in the decimal expansion of 7 1000 . 

18. Use Euler’s theorem to find the last digit in the hexadecimal expansion of 5 1 ’ 000 ’ 000 . 

19. Find 0(n) for the integers n with 13 < n < 20. 

20. Show that every positive integer relatively prime to 10 divides infinitely many repunits (see 
the preamble to Exercise 1 1 of Section 5.1). (Hint: Note that the n-digit repunit 1 1 1 ... 1 1 = 
(10" - l)/9.) 

21. Show that every positive integer relatively prime to b divides infinitely many base b repunits 
(see the preamble to Exercise 15 of Section 5.1). 

* 22. Show that if m is a positive integer, m > 1, then a m = (mod m) for all positive 

integers a. 

23. Show that if there is an integer b with (b , n) = 1 such that n is not a pseudoprime to the base b, 
then n is a pseudoprime to less than or equal to <p(n) different bases a with 1 <a <n, (Hint: 
Use Exercise 1 1 in Section 6.2. First show that the sets a h a 2 , . . . , a r and ba h ba 2 , . . . , ba r 
have no common elements, where a h a 2 , . . . , a r are the bases less than n to which n is a 
pseudoprime.) 

Computations and Explorations 

1. Find 0(n) for all integers n less than 1000. What conjectures can you make about the values 
of 0(n)? 

2. Let <h(n) = Y^=i 0(0- Investigate the value of 0(n)/n 2 for increasingly large values of n, 
such as n = 100, n = 1000, and n = 10,000. Can you make a conjecture about the limit of 
this ratio as n grows large without bound? 

Programming Projects 

1. Construct a reduced residue system modulo n for a given positive integer n. 

2. Solve linear congruences using Euler’s theorem. 

3. Find the solutions of a simultaneous system of linear congruences using Euler’s theorem and 
the Chinese remainder theorem (see Exercise 14). 
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I n this chapter, we will study a special class of functions on the set of integers called 
multiplicative functions. A multiplicative function has the property that its value at 
an integer is the product of its values at each of the prime powers in its prime-power 
factorization. We will show that some important functions are multiplicative, including 
the number of divisors function, the sum of divisors function, and the Euler phi-function. 
We will use the fact that each of these functions is multiplicative to obtain a closed 
formula for the value of these functions at a positive integer n based on the prime-power 
factorization of n. 

Furthermore, we will study a special type of positive integer, called a perfect number, 
which is equal to the sum of its proper divisors. We will show that all even perfect numbers 
are generated by a special kind of prime, called a Mersenne prime, which is a prime that 
is 1 less than a power of 2. The quest for new Mersenne primes has been under way since 
ancient times, accelerated by the invention of powerful computers, and accelerated even 
more with the advent of the Internet. 

We will also show how the summatory function of an arithmetic function, that is, 
a function defined for all positive integers, can be used to obtain information about the 
function itself. The summatory function of a function / takes a value at n equal to the 
sum of the values of f at each of the positive divisors of n. The famous Mobius inversion 
formula shows how to obtain the values of / from the values of its summatory function. 

Finally, we will study arithmetic functions that count unrestricted and restricted 
partitions. By a partition, we mean a way to express a positive integer as a sum of positive 
integers where order does not matter; a partition is restricted when there are constraints 
on the terms in the sum. We will establish a variety of surprising identities between 
these arithmetic functions, and introduce many of the important concepts in the study of 
partitions. 


7.1 The Euler Phi-Function 

We will show in this section that the Euler phi-function has the property that its value 
at an integer n is the product of the values of the Euler phi-function at the prime powers 
that occur in the factorization of n. Functions with this property are called multiplicative; 
such functions arise throughout number theory. Using the fact that the Euler phi-function 
is multiplicative, we will derive a formula for its values based on prime factorizations. 
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Later in this chapter, we will study other multiplicative functions, including the number 
of divisors function and the sum of divisors function. 

We first present some definitions. 

Definition. An arithmetic function is a function that is defined for all positive integers. 

Throughout this chapter, we are interested in arithmetic functions that have a special 
property. 

Definition. An arithmetic function / is called multiplicative if f (mn) = f (m) f (n) 
whenever m and n are relatively prime positive integers. It is called completely multipli- 
cative if f(mn ) = f(m)f(n) for all positive integers m and n. 

Example 7.1. The function /(n) = 1 for all n is completely multiplicative, and hence 
also multiplicative, because f(mn) = 1 , f(m) = 1 , and f(n) = 1 , so that f(mn ) = 
f(m)f(n). Similarly, the function g(n) = n is completely multiplicative, and hence 
multiplicative, since g(mn) =mn = g(m)g(n). ◄ 

If / is a multiplicative function, then we can find a simple formula for f(n) given 
the prime-power factorization of n. This result is particularly useful, because it shows us 
how to find f(n ) from the values of f(p^‘) for i = 1, 2, . . . , s, where n = p^p^ 2 • • • Ps s 
is the prime-power factorization of n. 

Theorem 7.1. If / is a multiplicative function and if n = p^'p^ 2 ’ ” Ps s is the prime- 
power factorization of the positive integer n, then f(n) = f (p^ 1 ) f (p^ 2 ) • • • / (/V s ). 

Proof We will prove this theorem using mathematical induction on the number of 
different primes in the prime factorization of the integer n. If n has one prime in its 
prime-power factorization, then n = 1 for some prime p h and it follows that the result 

is trivially true. 

Suppose that the theorem is true for all integers with k different primes in their 
prime-power factorization. Now suppose that n has k + 1 different primes in its prime- 
power factorization, say, n = p^p^ 2 • • • Pk k Pk+v Because f is multiplicative and 

( pTp i • • - pT' Pk+ 1 1 ) = we see /(«) = f(p a \P a 2 • • * />?)/(0- B y the 
inductive hypothesis, we know that fip^p^P^ • • • p°^) = / (p? 1 ) / (p^) f (P 3 3 ) • • • 
f(p a k k )- It follows that f{n) = fip^fip^ 2 ) • • • /(/>**)/(/>*+/)• This completes the 
inductive proof. ■ 

We now return to the Euler phi-function. We first consider its values at primes and 
then at prime powers. 

Theorem 7.2. If p is prime, then (p(p) = p — 1. Conversely, if p is a positive integer 
with (p(p) = p — 1 , then p is prime. 

Proof If p is prime, then every positive integer less than p is relatively prime to p. 
Because there are p — 1 such integers, we have 4>{p) = p — l. Conversely, if p is not 
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prime, then p = 1 or p is composite. If p = 1, then <p(p) ^ p — 1 because 0(1) = 1. If 
p is composite, then p has a divisor d with 1 < d < p, and, of course, p and d are not 
relatively prime. Because we know that at least one of the p — 1 integers 1, 2, . . . , p — 1, 
namely, d, is not relatively prime to p, 0(p) < p — 2. Hence, if 0(p) = p — 1, then p 
must be prime. ■ 

We now find the values of the phi-function at prime powers. 

Theorem 7.3. Let p be a prime and a a positive integer. Then 0 (p a ) = p a — p a ~ x . 

Proof. The positive integers less than or equal to p a that are not relatively prime to p 
are those integers not exceeding p a that are divisible by p. These are the integers kp, 
where 1 <k< p a ~ l . Since there are exactly p a ~ l such integers, there are p a — p a ~ l 
integers less than p a that are relatively prime to p a . Hence, 4>(p a ) = p a — p a ~ l . u 

Example 7.2. Using Theorem 7.3, we find that 0(5 3 ) = 5 3 - 5 2 = 100, 0(2 10 ) = 
2 10 -2 9 = 512, and 0(11 2 ) = 11 2 - 11=110. ◄ 

To find a formula for 0 (n), given the prime factorization of n, it suffices to show that 
0 is multiplicative. We illustrate the idea behind the proof with the following example. 

Example 7.3. Let m = 4 and n = 9, so that mn = 36. We list the integers from 1 to 36 
in a rectangular chart, as shown in Figure 7.1. 
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© 
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36 


Figure 7.1 Demonstrating that <p (36) = 0 (4)0 (9). 

Neither the second nor the fourth row contains integers relatively prime to 36, since 
each element in these rows is not relatively prime to 4, and hence not relatively prime to 
36. We enclose the other two rows; each element of these rows is relatively prime to 4. 
Within each of these rows, there are 6 integers relatively prime to 9. We circle these; they 
are the 12 integers in the list relatively prime to 36. Hence, 0(36) = 2-6 = 0(4)0 (9). 

◄ 


We now state and prove the theorem that shows that 0 is multiplicative. 

Theorem 7.4. Let m and n be relatively prime positive integers. Then 0(mn) = 
0(m)0(n). 

Proof. We display the positive integers not exceeding mn in the following way. 
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1 

m + 1 

2m + 1 

. . (n - 

l)m + l 

2 

m + 2 

2m + 2 . , 

(»- 

l)m + 2 

3 

m + 3 

2m + 3 . , 

• • (»- 

l)m + 3 

r 

m + r 

2 m + r . 

. . (n- 

l)m + r 


m 2m 3 m ... mn 

Now, suppose that r is a positive integer not exceeding m , and suppose that (m , r ) = 
d > 1. Then no number in the rth row is relatively prime to mn, because any element of 
this row is of the form km + r, where k is an integer with 1 < k < n — 1, and d \ {km + r), 
because d \ m and d \ r. 

Consequently, to find those integers in the display that are relatively prime to mn, 
we need to look at the rth row only if (m, r ) = 1. If (m, r) = 1 and 1 < r < m, we must 
determine how many integers in this row are relatively prime to mn. The elements in this 
row are r, m + r, 2m + r, . . . , (n — 1 )m + r. Because (r, m) = 1, each of these integers 
is relatively prime to m. By Theorem 4.6 the n integers in the rth row form a complete 
system of residues modulo n. Hence, exactly 0(n) of these integers are relatively prime 
to n. Because these </> (n) integers are also relatively prime to m, they are relatively prime 
to mn. 

Because there are </> (m) rows, each containing 0 (n) integers relatively prime to mn, 
we can conclude that </> (mn) = <p(m)<p(n). » 

Combining Theorems 7.3 and 7.4, we derive the following formula for <p(n). 


Theorem 7.5. Let n = • • • p^ k be the prime-power factorization of the positive 

integer n. Then 

Proof. Because 0 is multiplicative, Theorem 7.1 tells us that 
4>(n) =(Kp a l 1 )(f>(p“ 2 ) • • • <t>{p a k k ). 

In addition, by Theorem 7.3, we know that 


4>(Pj J ) = Pj 




for j = 1,2, ... ,k. Hence, 
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, ( n)=pr ( i _l) pr ( i _J_)... p? ( i _J_) 

This is the desired formula for 0(n). ■ 

We illustrate the use of Theorem 7.5 by the following example. 

Example 7.4. Using Theorem 7.5, we note that 

0(100) = 0(2 2 5 2 ) = 100 (l - 1^1 - = 40 

and 

0(720) = 0(2 4 3 2 5) = 720 (l - ^ (l - ^ 19Z * 

Note that <p(n) is even except when n = 2, as the following theorem shows. 

Theorem 7.6. Let n be an integer greater than 2. Then 0 (n) is even. 

Proof Suppose that n = p^p^ 2 • • • p“ s is the prime-power factorization of n. Because 
0 is multiplicative, it follows that 0(n) = ]”[*■= i 0(PyO- By Theorem 7.3, we know that 
0(py') = p U j 1 (pj — 1). We can see that 0(p^) is even if pj is an odd prime, because 
then pj — 1 is even, or if pj = 2 and a.j > 1, because then p°j j is even. Given that n > 2, 
at least one of these two conditions holds, so that 0(p° J ) is even for at least one integer 
j, 1 < j < s . We conclude that 0 (n) is even. ■ 

Let / be an arithmetic function. Then 

F(fl) =£/(<*) 
d\n 

represents the sum of the values of / at all the positive divisors of n. The function F is 
called the summatory function of /. 

Example 7.5. If / is an arithmetic function with summatory function F, then 
F(12) = J2 f(d) = /( 1) + /( 2) + /( 3) + / (4) + /( 6) + /(12). 

d\l2 

For instance, if f(d) = d 2 and F is the summatory function of /, then F(12) = 210, 
because 

J2 d 2 = l 2 + 2 2 + 3 2 + 4 2 + 6 2 + 12 2 

d\12 

= 1 + 4 + 9+ 16 + 36+ 144 = 210. < 
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The following result, which states that n is the sum of the values of the phi-function 
at all the positive divisors of n, will also be useful in the sequel. It says that the summatory 
function of 0(n) is the identity function, that is, the function whose value at n is just n. 

Theorem 7.7. Let n be a positive integer. Then 

= n. 

d\n 

Proof. We split the set of integers from 1 to n into classes. Put the integer m into the 
class C d if the greatest common divisor of m and n is d. We see that m is in C d , that is, 
(m, n) = d, if and only if (m/d, n/d ) = 1. Hence, the number of integers in C d is the 
number of positive integers not exceeding n/d that are relatively prime to the integer 
n/d. From this observation, we see that there are <f>(n/d ) integers in C d . Because we 
divided the integers 1 to n into disjoint classes and each integer is in exactly one class, n 
is the sum of the numbers of elements in the different classes. Consequently, we see that 

n = ^(/)(n/d). 

d\n 

As d runs through the positive integers that divide n,n/d also runs through these divisors, 
so that 

n = ^(f)(n/d) = ^ 

d\n d\n 

This proves the theorem. ■ 

Example 7.6. We illustrate the proof of Theorem 7.7 when n = 18. The integers from 
1 to 18 can be split into classes C d , where d | 18 such that the class C d contains those 
integers m with (m, 18) = d. We have 

C 1 = {1,5, 7, 11, 13, 17} C 6 = {6, 12} 

C 2 = {2, 4, 8, 10, 14, 16} C g = {9} 

C 3 = {3, 15} C 18 = {18}. 

We see that the class C d contains 0(1 8/d) integers, as the six classes contain 
0(18) = 6, 0(9) = 6, 0(6) = 2, 0(3) = 2, 0(2) = 1, and 0(1) = 1 integers, respectively. 
We note that 18 = 0(18) + 0(9) + 0(6) + 0(3) + 0(2) + 0(1) = Zd\lS < 

A useful tool for finding all positive integers n with 0(n) = k, where £ is a positive 

integer, is the equation 0 (n) = nf=i P? Va' — 1)> where the prime-power factorization 
of n is n = n*==i P?- This is illustrated in the following example. 

Example 7.7. What are the solutions to the equation 0(n) = 8, where n is a positive 
integer? Suppose that the prime-power factorization of n is n = P^P^ 2 ‘ ” P°k ■ Because 
k 

0(«) = p 7 7pj ~ 1). 

7=1 
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the equation 0(n) = 8 implies that no prime exceeding 9 divides n (otherwise 0 (n) > 
Pj — 1 > 8) . Furthermore, 7 cannot divide n because if it did, 7—1 = 6 would be a factor 
of (pin). It follows that n = 2 a 3 b 5 c , where a, b, and c are nonnegative integers. We can 
also conclude that b = 0 or b = 1 and that c = 0 or c = 1; otherwise, 3 or 5 would divide 
0(n) = 8. 

To find all solutions, we need only consider four cases. When b = c = 0, we have 
n = 2 a , where a > 1. This implies that 0 (n) = 2 a_1 , which means that a = 4 and n = 16. 
When b = 0 and c = 1, we have n = 2 a -5, where a > 1. This implies that 0 (n) = 2 a_1 • 4, 
so a = 2 and n = 20. When 6 = 1 and c = 0, we haven = 2 a • 3, where a > 1. This implies 
that 0(n) = 2 a ~ l • 2 = 2 a , so a = 3 and n = 24. Finally, when b = 1 and c = 1, we have 
n = 2 a • 3 • 5. We need to consider the case where a = 0, as well as the case where a > 1. 
When a = 0, we have n = 15, which is a solution because 0(15) = 8. When a > 1, we 
have 0 (n) = 2 a ~ l • 2 • 4 = 2 a+2 . This means that a = 1 and n = 30. Putting everything 
together, we see that all the solutions to 0(n) = 8 are n = 15, 16, 20, 24, and 30. ◄ 


7.1 Exercises 

1. Determine whether each of the following arithmetic functions is completely multiplicative. 
Prove your answers. 

a) /(n) =0 d) /(n) = log n g) /(n) = n + 1 

b) f{n) =2 e) fin) = n 2 h) fin) = n n 

c) /(n) = n/2 f)/(n)=n! i)/(n) = V« 

2. Find the value of the Euler phi-function at each of these integers. 

a) 100 c) 1001 e) 10! 

b) 256 d) 2 • 3 ■ 5 • 7 • 11 • 13 f) 20! 

3. Show that 0(5186) = 0(5187) = 0(5188). 

4. Find all positive integers n such that 0 in) has each of these values. Be sure to prove that you 
have found all solutions. 

a) 1 b) 2 c) 3 d) 4 

5. Find all positive integers n such that 0(n) = 6. Be sure to prove that you have found all 
solutions. 

6. Find all positive integers n such that 0(n) = 12. Be sure to prove that you have found all 
solutions. 

7. Find all positive integers n such that 0(n) = 24. Be sure to prove that you have found all 
solutions. 

8. Show that there is no positive integer n such that 0 (n) = 14. 

9. Can you find a rule involving the Euler phi-function for producing the terms of the sequence 

1, 2, 2, 4, 4, 4, 6, 8, 6, . . .? 

10. Can you find a rule involving the Euler phi-function for producing the terms of the sequence 

2, 3, 0, 4, 0, 4, 0, 5, 0, . . .? 

11. For which positive integers n does 0 (3n) = 30 (n)? 
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12. For which positive integers n is 0(n) divisible by 4? 

13. For which positive integers n is 0(n) equal to n/2? 

14. For which positive integers n does 0(n) | n? 

15. Show that if n is a positive integer, then 


<t> (2n) = 


0(n) if n is odd; 
20 (n) if n is even. 


16. Show that if n is a positive integer having k distinct odd prime divisors, then 0 (n) is divisible 
by 2*. 

17. For which positive integers n is 0 (n) a power of 2? 

18. Show that if n is an odd integer, then 0(4n) = 20 (n). 

19. Show that if n = 20 ( n ) where n is a positive integer, then n = 2 7 for some positive integer j . 

20. Let p be prime. Show that p / n, where n is a positive integer, if and only if 0(np) = 
(p - 1)0 (n). 

21. Show that if m and n are positive integers and (m,n) — p, where p is prime, then 0 (mn) = 
p<t>(m)(/)(n)/(p - 1). 

22. Show that if m and k are positive integers, then 0(m*) = m* _1 0(m). 

23. Show that if a and b are positive integers, then 

Conclude that0(aZ>) > (j>(a)(j)(b) when (a, b) > 1. 

24. Find the least positive integer n such that the following hold. 

a) 0 (n) > 100 c) 0 (n) > 10,000 

b) 0 (n) > 1000 d) 0 (n) > 100,000 

25. Use the Euler phi-function to show that there are infinitely many primes. (Hint: Assume there 
are only a finite number of primes p h . . . , p k . Consider the value of the Euler phi-function 
at the product of these primes.) 

26. Show that if the equation 0 (n) = k, where k is a positive integer, has exactly one solution n, 
then 36 | n. 

27. Show that the equation 0(n) = k, where k is a positive integer, has finitely many solutions in 
integers n whenever k is a positive integer. 

28. Show that if p is prime, 2 a p + 1 is composite for a = 1, 2, . . . , r, and p is not a Fermat 
prime, where r is a positive integer, then 0(n) = 2 r p has no solution. 

* 29. Show that there are infinitely many positive integers k such that the equation 0 (n) = k 

has exactly two solutions, where n is a positive integer. (Hint: Take k = 2 • 3 6 - /+1 , where 
7 = 1-2,....) 

30. Show that if n is a positive integer with n/2 and n / 6, then 0 (n) > «Jn. 

* 31. Show that if n is a composite positive integer and 0 (n) | n — 1, then n is square-free and is 

the product of at least three distinct primes. 

32. Show that if m and n are positive integers with m\n, then 0(/n) | 0(n). 
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* 33. Prove Theorem 7.5, using the principle of inclusion-exclusion (see Exercise 16 of Appen- 
dix B). 

34. Show that a positive integer n is composite if and only if 0(n) < n — ^/n. 

35. Let n be a positive integer. Define the sequence of positive integers n 1( n 2 , n 3 , . . . recursively 

by n 1 = <j)(n) and n i+1 = (j>(n k ) for k = 1, 2 , 3 Show that there is a positive integer r 

such that n r = 1. 

A multiplicative function is called strongly multiplicative if and only if / (p k ) = f (p) for every 

prime p and every positive integer k. 

36. Show that /(n) = 0(n)/n is a strongly multiplicative function. 

Two arithmetic functions / and g may be multiplied using the Dirichlet product, which is defined 

by 


(/*«)(») =£/(</)*(»/</)• 

d\n 

37. Show that / * g = g * /. 

38. Show that (/ *g)*h = f *(g *h). 


We define the i Junction by 




39. a) Show that i is a multiplicative function. 

b) Show that i* f = f * i = / for all arithmetic functions /. 


40. The arithmetic function g is said to be the inverse of the arithmetic function / if / * g = 

g * f = i. Show that the arithmetic function / has an inverse if and only if / (1) 0. Show 

that if / has an inverse it is unique. (Hint: When /( 1) ^ 0, find the inverse / -1 of / by 
calculating / _1 (n) recursively, using the fact that i(n) = J2d\n f(d) f~ 1 (n/d).) 

41. Show that if / and g are multiplicative functions, then the Dirichlet product f * g is also 
multiplicative. 

42. Show that if / and g are arithmetic functions, F = f * g, and h is the Dirichlet inverse of g, 
then f = F *h. 


We define Liouville’s function A .(n), named after French mathematician Joseph Liouville, by 
A(l) = 1, and for n > 1, A.(n) = (— l) a i+ a 2 +-"+ a m ) where the prime-power factorization of n is 
n = p a xP 2 • • • 

43. Find A,(n) for each of the following values of n. 

a) 12 c) 210 e) 1001 g) 20! 

b) 20 d) 1000 f) 10! 

44. Show that X(n) is completely multiplicative. 

45. Show that if n is a positive integer, then J2d\n equals 0 if n is not a perfect square, and 
equals 1 if n is a perfect square. 
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46. Show that if / and g are multiplicative functions, then fg is also multiplicative, where 
(/#)(») = / (fOg(n) for every positive integer n. 

47. Show that if / and g are completely multiplicative functions, then fg is also completely 
multiplicative. 

48. Show that if /is completely multiplicative, then /(n) = f(Pi) ai f(P 2 ) ai • - • /(.Pm) 11 ”, where 
the prime-power factorization of n is n = p° l p° 2 - * ■ p% ■ 

A function / that satisfies the equation / (mn) = / (m) + / (n) for all relatively prime positive 
integers m and n is called additive, and if the above equation holds for all positive integers m and 
n, / is called completely additive. 

49. Show that the fiinction / (n) = log n is completely additive. 

The function a>(ri) is the function that denotes the number of distinct prime factors of the positive 
integer n. 

50. Find a >(n) for each of the following integers. 

a) 1 b) 2 c) 20 d) 84 e) 128 

51. Find <o(n) for each of the following integers. 

a) 12 b) 30 c) 32 d) 10! e)20! f) 50! 


JOSEPH LIOUVILLE (1809-1882), bom in Saint-Omer, France, was the 
Jp son of a captain in Napoleon’s army. He studied mathematics at the College 

■ acXi St. Louis in Paris, and in 182S he enrolled in the Ecole Polytechnique; after 

■a 1 graduating, he entered the Ecole des Ponts et Chaussees (School of Bridges 

a ^ ~AfL and Roads). Health problems while working on engineering projects and his 

interest in theoretical topics convinced him to pursue an academic career. He 
I left the Ecole des Ponts et Chaussees in 1 830, but during bis time there he wrote 
papers on electrodynamics, the theory of heat, and partial differential equations. 

Liouville’s first academic appointment was as an assistant at the Ecole Polytechnique in 1831. 
He had a teaching load of around 40 hours a week at several different institutions. Some of his 
less able students complained that he lectured at too high a level. In 1836, Liouville founded the 
Journal de Mathematiques Pures etAppliquees, which played an important role in French mathematics 
in the nineteenth century. In 1837, he was appointed to lecture at the College de France, and the 
following year he was appointed Professor at the Ecole Polytechnique. Besides his academic interests, 
Liouville was also involved in politics. He was elected to Constituting Assembly in 1848 as a moderate 
republican, but lost in the election of 1849, embittering him. Liouville was appointed to a chair at the 
College de France in 1851, and the chair of mechanics at the Faculte des Sciences in 1857. Around 
this time, his heavy teaching load began to take its toll. Liouville was a perfectionist and was unhappy 
when he could not devote sufficient time to bis lectures. 

Liouville’s work covered many diverse areas of mathematics, including mathematical physics, 
astronomy, and many areas of pure mathematics. He was the first person to provide an explicit example 
of atranscendental number. He is also known today for what is now called Sturm-Liouville theory, used 
in the solution of integral equations, and he made important contributions to differential geometry. 
His total output exceeds 400 papers in the mathematical sciences, with nearly half of those in number 
theory alone. 
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52. Show that coin) is additive, but not completely additive. 

53. Show that if / is an additive function and g(n) = 2^ (n \ then g is multiplicative. 

54. Show that the function n k is completely multiplicative for every real number k. 

Computations and Explorations 

1. Find <p (n) when n takes each of the following values, 

a) 185,888,434,028 b) 1,111,111,111,111 

2. Find the number of iterations of the Euler phi-function required to reach 1 , starting with each 
of the integers in Computation 1 . 

3. Find the largest integer n such that <f> (n) < k for each of the following values of k. 

a) 1,000,000 b) 10,000,000 

4. Find as many positive integers n as you can, such that <f> (n) = </> (n + 1). Can you formulate 
any conjectures based on the evidence that you have found? 

5. Can you find a positive integer n other than 5186 such that <p(n) = </>(« + 1) = <p(n + 2)? 
Can you find four consecutive positive integers n, n + 1, n + 2, n + 3, such that <p(n) = 
<f)(n + 1) = 0(n + 2 )=</>(« + 3)? 

6. An open conjecture of D. H. Lehmer asserts that n is prime if 0(n) divides n— 1. Explore 
the truth of this conjecture. 

7. An open conjecture of Carmichael asserts that for every positive integer n there is a positive 
integer m such that <p(m) = <p(n). Gather as much evidence as possible for this conjecture. 


Programming Projects 

1. Given a positive integer n, find the value of <p (n) . 

2. Given a positive integer n, find the number of iterations of the phi-function, starting with n, 
required to reach 1. (This is the integer r in Exercise 35.) 

3. Given a positive integer k, find the number of solutions of <p (n) = k. 


7.2 The Sum and Number of Divisors 

As we mentioned in Section 7. 1 , the number of divisors and the sum of divisors are both 
multiplicative functions. We will show that these functions are multiplicative, and will 
derive formulas for their values at a positive integer n from the prime factorization of n. 

Definition. The sum of divisors function, denoted by a , is defined by setting cr(n) equal 
to the sum of all the positive divisors of n. 

In Table 7.1, we give cr(n) for 1 < n < 12. The values of cr(n) for 1 < n < 100 are 
given in Table 2 of Appendix E. (These values can also be computed using Maple or 
Mathematical) 
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n 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

o(n) 

1 

3 

4 

7 

6 

12 

8 

15 

13 

18 

12 

28 


Table 7.1 The sum of the divisors for 1 < n < 12. 


Definition. The number of divisors function, denoted by r, is defined by setting r(n) 
equal to the number of positive divisors of n. 


In Table 7.2, we give r(n) for 1 < n < 12. The values of x(n) for 1 < n < 100 are 
given in Table 2 of Appendix E. (These values can also be computed using Maple or 
Mathematical 

Note that we can express a in) and r(n) in summation notation. It is simple to see 

that 


<r(n) = d 

d\n 


and 


*c»)=E L 

d\n 


To prove that a and r are multiplicative, we use the following theorem. 

Theorem 7.8. If / is a multiplicative function, then the summatory function of /, 
namely, F(n) = J2d\n /(^)> is also multiplicative. 

Before we prove the theorem, we illustrate the idea behind its proof with the 
following example. Let / be a multiplicative function, and let F(n) = J2d\n /(^)- We 
will show that F(60) = F(4)F(15). Each of the divisors of 60 may be written as the 
product of a divisor of 4 and a divisor of 15 in the following way: 1 = 1 • 1, 2 = 2 • 1, 
3 = 1 • 3, 4 = 4 • 1, 5 = 1 • 5, 6 = 2 ■ 3, 10 = 2 ■ 5, 12 = 4 • 3, 15 = 1 • 15, 20 = 4 ■ 5, 
30 = 2- 15, 60 = 4 • 15 (in each product, the first factor is the divisor of 4, and the second 
is the divisor of 15). Hence, 


n 

i 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

m 

i 

2 

2 

3 

2 

4 

2 

4 

3 

4 

2 

6 


Table 7.2 The number of divisors for 1 < n < 12. 
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F( 60) = /( 1) + /( 2) + /(3) + /(4) + /(5) + /( 6) + /( 10) + /(12) 

+ /(15) + /(20) + /(30) + /(60) 

= /(I • 1) + /(2 • 1) + /(I • 3) + /(4 • 1) + /(I • 5) + /(2 • 3) 

+ /(2 • 5) + /(4 • 3) + /(I • 15) + /(4 • 5) + /(2 • 15) + /(4 • 15) 

= /(D/d) + /(2)/(l) + /(l)/(3) + / (4)/(l) + /(l)/(5) 

+ f(2)f (3) + /(2)/(5) + /(4)/(3) + /(1)/(15) + /(4)/(5) 

+ /(2)/(15) + /(4)/(15) 

= (/( 1) + / (2) + / (4))(/ (1) + / (3) + /( 5) + /(15)) 

= F(4)F(15). 

We now prove Theorem 7.8 using the idea illustrated by the example. 

Proof. To show that F is a multiplicative function, we must show that if m and n 
are relatively prime positive integers, then F(mn ) = F(m)F(n). So let us assume that 
(m, n) = 1. We have 


F{mn) = /(<*)• 

d\mn 

By Lemma 3.7, because (m, n) = 1, each divisor of mn can be written uniquely as the 
product of relatively prime divisors d x of m and d 2 of n, and each pair of divisors d x of 
m and d 2 of n corresponds to a divisor d = d^d 2 of mn. Hence, we can write 

F(mn ) = f( d i d 2)- 

dilm 

d 2 \n 

Because / is multiplicative, and (d h d 2 ) = 1, we see that 
F(mn) = Y, fWfW 

d]\m 

d 2 \n 

= E fw E fw> 

di\m d 2 \n 

= F(m)F(n). ■ 

We can now use Theorem 7.8 to show that a and r are multiplicative. 

Corollary 7.8.1. The sum of divisors function a and the number of divisors function 
r are multiplicative functions. 

Proof. Let /(n) = n and g(n) = 1. Both / and g are multiplicative. By Theorem 7.8, 
we see that o{n) = Yld\n f( d ) atl ^ r(n) = J2d\n S( d ) are multiplicative. ■ 

Now that we know that a and r are multiplicative, we can derive formulas for their 
values based on prime factorizations. First, we find formulas for cr(«) and r(n) when n 
is the power of a prime. 
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Lemma 7.1. Let p be prime and a a positive integer. Then 


o(p a ) = 1 + p + p 2 + ■ ■ ■ + p a = 


p a+l - 1 

P ~ 1 


and 


r(p a ) =a + 1. 

Proof. The divisors of p a are 1, p, p 2 , . . . , p a ~ l , p a . Consequently, p a has exactly 

a + 1 divisors, so that r (p a ) = a + 1. Also, we note that a(p a ) = 1 + p + p 2 -\ I- 

p a ~ l + p a — pa p _~[ X , using the formula in Example 1.15 for the sum of terms of a 
geometric progression. ■ 

Example 7.8. When we apply Lemma 7. 1 with p = 5 and a = 3, we find that a (5 3 ) = 
1 + 5 + 5 2 + 5 3 = ^£± = 156 andr(5 3 ) = 1 + 3 = 4. ◄ 

Lemma 7.1 and Corollary 7.8.1 lead to the following formulas. 


Theorem 7.9. Let the positive integer n have prime factorization n = p a fp^ . . . p a s s . 
Then 


<r(n) = 


pT' - 1 

p i-i 


p ^ +1 — i 
Pi ~ 1 


a,+t i 

Ps ~ 1 
Ps ~ 1 


- /' +1 - 
=n^n 

7=1 Pj 


and 

r ( n ) = ( a l + 1)(^2 + 1) - ‘ ( a s + 1) = + !)• 

7=1 

Proof. Because both a and r are multiplicative, we see that a (n) = arip^p^ 2 • • • /V s ) 
= cr(p* l )cr(p?) • • • (rip?) and r(n) = r( pj 1 /?? • • • p?') = rQ^Mpj 2 ) ' ' • 
Inserting the values for or(p^) and r (/?“' ) found in Lemma 7.1, we obtain the desired 
formulas. ■ 

We illustrate how to use Theorem 7.9 with the following example. 


Example 7.9. Using Theorem 7.9, we find 

a (200) = a (2 3 5 2 ) = ^ = 15 • 31 = 

2-1 5-1 

t (200) = t(2 3 5 2 ) = (3 + 1)(2 + 1) = 12. 

Similarly, we have 


or (720) = <t(2 4 • 3 2 • 5) = 


2 s - 1 3 3 — 1 5 2 - 

2—1 3—1 5 - 


- = 31- 13-6 = 2418, 


t(2 - 3 Z • 5) = (4 + 1) (2 + 1)(1 + 1) = 30. 
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7.2 Exercises 

1. Find the sum of the positive integer divisors of each of these integers. 

a) 35 d) 2 100 g) 10! 

b) 196 e) 2 • 3 • 5 • 7 • 1 1 h)20! 

c) 1000 f) 2 5 3 4 5 3 7 2 11 

2. Find the number of positive integer divisors of each of these integers. 

a) 36 c) 144 e) 2 • 3 2 - 5 3 ■ 7 4 ■ ll 5 ■ 13 4 • 17 s ■ 19 s 

b) 99 d) 2 -3- 5 -7- 11- 13- 17- 19 f) 20! 

3. Which positive integers have an odd number of positive divisors? 

4. For which positive integers n is the sum of divisors of n odd? 

* 5. Find all positive integers n with a (n) equal to each of these integers. 

a) 12 c) 24 e) 52 

b) 18 d) 48 f) 84 

* 6. Find the smallest positive integer n with r (n) equal to each of these integers. 

a) 1 c) 3 e) 14 

b) 2 d) 6 f) 100 

7. Show that if k > 1 is an integer, then the equation r(n) — k has infinitely many solutions. 

8. Which positive integers have exactly two positive divisors? 

9. Which positive integers have exactly three positive divisors? 

10. Which positive integers have exactly four positive divisors? 

11. What is the product of the positive divisors of a positive integer nl 

12. Show that the equation o(n) = k has at most a finite number of solutions when & is a positive 
integer. 

13. For each of the following sequences, can you find a rule for producing the terms of the 
sequence that involves the r and/or the a function? 

a) 3, 7, 12, 15, 18, 28, 24, 31, . . . c) 1, 2, 4, 6, 16, 12, 64, 24, 36, 48, . . . 

b) 0, 1, 2, 4, 4, 8, 6, 11, . . . d) 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 2, 1, . . . 

14. For each of the following sequences, can you find a rule for producing the terms of the 
sequence that involves the r and/or the a function? 

a) 2, 5, 6, 10, 8, 16, 10, 19, 16, 22, . . . 

b) 1, 4, 6, 8, 13, 12, 14, 24, 18, . . . 

c) 6, 8, 10, 14, 15, 21, 22, 26, 27, 33, 34, 35, . . . 

d) 1, 2, 2, 2, 3, 2, 2, 4, 2, 2, 4, 2, 3, . . . 

A positive integer n, n > 1, is highly composite, a concept introduced by the famous Indian 
mathematician Srinivasa Ramanujan, if r(m) < x(n) for all integers m with 1 < m < n. 

15. Find the first six highly composite positive integers. 

16. Show that if n is a highly composite positive integer and m is a positive integer with 
r (m) > r(n), then there exists a highly composite integer k such that n < k < m. Conclude 
that there are infinitely many highly composite integers. 
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17. Show that if n > 1, there exists a highly composite number k such that n <k<2n. Use this to 
provide an upper bound on the mth highly composite number, where m is a positive integer. 

18. Show that if n is a highly composite positive integer, there exists a positive integer k such 
that n = 2 a i3 a 25“ 3 • • • pjf, where p k is the fctb prime and a\> 02 > • • • > a k > k 



SRINIVASA RAMANUJAN (1887-1920) was bom and raised in southern 
India, near Madras. His father was a clerk in a cloth shop and his mother 
contributed to the family income by singing at a local temple. Ramanujan 
studied at a local English language school, displaying a talent in mathematics. 
At 13, he mastered a textbook used by college students; when he was IS, 
a university student lent him a copy of Synopsis of Pure Mathematics, and 
Ramanujan decided to work out the more than 6000 results in this book. He 
graduated from high school in 1904, winning a scholarship to the University of 
Madras. Enrolling in a fine arts curriculum, he neglected subjects other than mathematics and lost his 
scholarship. During this time, he filled his notebooks with original writings, sometimes rediscovering 
already published work, and at other times making new discoveries. 

lacking a university degree, Ramanujan found it difficult to land a decent job. lb survive, he 
depended on the good will of friends. He tutored students, but his unconventional ways of thinking 
and failure to stick to the syllabus caused problems. He was married in 1909 in an arranged marriage 
to a woman who was 13 years old Needing to support himself and his wife, he moved to Madras 
looking for a job. He showed his notebooks to potential employers, but his writings bewildered them. 
However, a professor at the Presidency College recognized his genius and supported him, and in 1 9 1 2 
he found work as an accounts clerk, which earned him a small salary. 

Ramanujan continued his mathematical investigations, publishing his first paper in 1910 in an 
Indian journal. Realizing that his work was beyond that of Indian mathematicians, he decided to write 
to leading English mathematicians. Although the first mathematicians turned down his request for 
help, G. H. Hardy arranged a scholarship for Ramanujan, bringing him to Eogland in 1914. Hardy 
initially was inclined to turn Ramanujan down, but the mathematical results Ramanujan stated without 
proof in his letter puzzled Hardy. He examined Ramanujan’s writings with the aid of his collaborator, 
J. E. Littlewood. They decided that Ramanujan was probably a genius, as his statements “could only be 
written down by a mathematician of the highest class; they must be true, because if they were not true, 
no one would have the imagination to invent them.” Hardy personally tutored Ramanujan and they 
collaborated for five years, proving significant theorems about the partitions of integers. During this 
time, Ramanujan made important contributions to number theory, and worked on elliptic functions, 
infinite series, and continued fractions. Ramanujan had amazing insight involving certain types of 
functions and series, but his purported theorems on prime numbers were often wrong, illustrating his 
vague idea of what makes up a correct proof. 

Ramanujan was one of the youngest members ever appointed a Fellow of the Royal Society. Un- 
fortunately, in 1917, he became extremely ill. Although it was once thought he contracted tuberculosis, 
it is now thought that he suffered from a vitamin deficiency brought on by his strict vegetarianism 
and shortages in wartime England. He returned to India in 1919 and continued his mathematical work 
even while confined to bed. He was highly religious and thought that his mathematical talent came 
from his family deity, Namaigiri. He said that “an equation for me has no meaning unless it expresses 
a thought of God.” He died in April 1920, leaving several notebooks of unpublished results. Mathe- 
maticians have devoted many years of study to the explanation and justification of the results jotted 
down in Ramanujan’s notebooks. 
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19. Find all highly composite numbers of the form 2 a 3 6 , where a and b are nonnegative integers. 

Let cr k (n ) denote the sum of the kth powers of the divisors of n, so that cr k (n) = J2d\ n d k - Note 

that Oi(n) = <r(n). 

20. Find a 3 ( 4), <t 3 (6), and <t 3 (12). 

21. Give a formula for o k {p), where p is prime. 

22. Give a formula for o k (p a ), where p is prime and a is a positive integer. 

23. Show that the function o k is multiplicative. 

24. Using Exercises 22 and 23, find a formula for a k (n), where n has prime-power factorization 
n = Pi'p? •■■Pn m - 

25. Find all positive integers n such that <p(n) + a (n) = 2 n. 

26. Show that no two positive integers have the same product of divisors. 

27. Show that the number of ordered pairs of positive integers with least common multiple equal 
to the positive integer n is r (n 2 ). 

28. Let n be a positive integer, n> 2. Define the sequence of integers n h n 2 , n 3 , . . . by n x = r(n) 
and n k+l = r(n k ) for k = 1, 2, 3, ... . Show that there is a positive integer r such that 
2 = n r = n r+l = n r+2 = . ... 

29. Show that a positive integer n is composite if and only if a (n) > n + yfn. 

30. Let n be a positive integer. Show that r (2” - 1) > r ( n ). 

31. Show that Y?j=\ r O) = 2 — [V^] 2 whenever n is a positive integer. Then use 

this formula to find J2f=\ r U)- 

32. Let a and b be positive integers. Show that a (a) /a < a(ab)/(ab ) < o(a)o(b)/(ab). 

33. Show that if a and b are positive integers, then o(a)o(b ) = Yld\{a b) ( ab/d 2 ). 

34. Show that if n is a positive integer, then (j2 d \ n t(d)^ = J2d\n r (d) 3 - 

35. Show that if n is a positive integer, then r (n 2 ) = J2d\n 2 cy( " ) , where co(n) equals the number 
of prime divisors of n. 

36. Show that J2d\ n no(d)/d = J2d\n dx(d) whenever n is a positive integer. 

37. Find the determinant of the n xn matrix with (/, y')th entry equal to (/', j). 

38. Let n be a positive integer such that 24 | (n + 1). Show that o(n) is divisible by 24. 

39. Show that there are infinitely many pairs of positive integers m, n such that 0(m) =a(n), 
if there are infinitely many pairs of twin primes or infinitely many Mersenne primes (that is, 
primes of the form 2 P — 1, where p is prime). 

40. Prove that J2 d / n <t>(d) = n (Theorem 7.7) as a consequence of Theorem 7.8. 

Computations and Explorations 

1. Find tin), a in), and o 2 {n) (as defined in the preamble to Exercise 20) for each of the 
following values of n. 
a) 121,110,987,654 


b) 11,111,111,111 


c) 98,989,898,989 
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2. Find as many pairs, triples, and quadruples as you can of consecutive integers, each with the 
same number of positive divisors. 

3. Determine the number of iterations required for the sequence n x = r(n), 

n 2 = r (nj) n k+i = r ( n k)> • ■ ■ to reach the integer 2, for all positive integers n not 

exceeding 1000. Formulate some conjectures based on your evidence. 

4. Find all the highly composite integers (as defined in the preamble to Exercise 15) not 
exceeding 10,000. 

* 5. Show that 29,331,862,500 is a highly composite integer. 

Programming Projects 

1. Given a positive integer n, find r (n), the number of positive divisors of n. 

2. Given a positive integer n, find a(n), the sum of the positive divisors of n. 

3. Given a positive integer n and a positive integer k, find cr k (n), the sum of the kth powers of 
the positive divisors of n . 

4. Given a positive integer n, find the integer r defined in Exercise 28. 

5. Given a positive integer n, determine whether n is highly composite. 


7.3 Perfect Numbers and Mersenne Primes 

Because of certain mystical beliefs, the ancient Greeks were interested in those integers 
that are equal to the sum of all their proper positive divisors. Such integers are called 
perfect numbers. 

Definition. If n is a positive integer and cr(n) = 2 n, then n is called a perfect number. 

Example 7.10. Because a (6) = 1 + 2 + 3 + 6 = 12, we see that 6 is perfect. We also 
note that a (28) = 1 + 2 + 4 + 7 + 14 + 28 = 56, so that 28 is another perfect number. 


The ancient Greeks knew how to find all even perfect numbers. The following 
theorem tells us which even positive integers are perfect. 

Theorem 7.10. The positive integer n is an even perfect number if and only if 

n = 2 m-1 (2 m - 1), 

where m is an integer such that m > 2 and 2 m — 1 is prime. 

Proof. First, we show that if n =2 m-1 (2 m - 1), where 2 m - 1 is prime, then n is 
perfect. We note that because 2 m — 1 is odd, we have (2 m_1 , 2 m — 1) = 1. Because a 
is a multiplicative function, we see that 

a(n) =o(2 m ~ 1 )o(2 m — 1). 
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Lemma 7. 1 tells us that a (2 m l ) = 2 m — \ and a (2 m — 1) = 2 m , because we are assuming 
that 2 m - 1 is prime. Consequently, 

or(n) = (2 m - l)2 m = 2n, 

demonstrating that n is a perfect number. 

To show that the converse is true, let n be an even perfect number. Write n = 2 s t, 
where s and t are positive integers and t is odd. Because (2 s , t ) = 1, we see from Lemma 
7.1 that 

(7.1) cr(n) = <7(2 '/) = <r(2’)a(l ) = <2 <+1 - 1 )<r(t). 

Because n is perfect, we have 

(7.2) a(n)=2n = 2 s+1 t. 

Combining (7.1) and (7.2) shows that 

(7.3) (2 s+l - 1 )a(t) = 2 s+1 t. 

Because (2 S+1 , 2 s +l — 1) = 1, from Lemma 3.4 we see that 2 s+l \ a(t). Therefore, there 
is an integer q such that cr(t) = 2 s+1 q. Inserting this expression for a(t) into (7.3) tells 
us that 

(2 s+l - 1)2 s+1 q = 2 s+1 t, 

and, therefore, 

(7.4) (2-+ 1 - 1)^ = r. 

Hence, q \ t and q ^t. 

When we add q to both sides of (7.4), we find that 

(7.5) t + q = (2 S+1 - 1 )q+q= 2 s+l q = cr(t). 

We will show that q = 1. Note that if q 1, then there are at least three distinct positive 
divisors of t, namely, 1, q, and t. This implies that a(t) > t + q + 1, which contradicts 

(7.5) . Hence, q = 1 and, from (7.4), we conclude that t = 2 s+l — 1. Also, from (7.5), we 

see that a (t) = t + 1, so that t must be prime, because its only positive divisors are 1 and 
t. Therefore, n = 2 s (2 s+l — 1), where 2 s+l — 1 is prime. ■ 

By Theorem 7.10, we see that to find even perfect numbers, we must find primes of 
the form 2 m — 1. In our search for primes of this form, we first show that the exponent 
m must be prime. 

Theorem 7.11. If m is a positive integer and 2 m — 1 is prime, then m must be prime. 

Proof. Assume that m is not prime, so that m = ab, where 1 < a < m and 1 < b < m. 
(Note that m > 1, since 2 m — 1 is prime.) Then 

2 m — 1 = 2 ab — 1 = (2 a — l)(2 a(fc-1) + 2 a(fc-2) H b 2 a + 1). 
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Because both factors on the right side of the equation are greater than 1, we see that 
2 OT — 1 is composite if m is not prime. Therefore, if 2 m — 1 is prime, then m must also 
be prime. ■ 

By Theorem 7.11, we see that to search for primes of the form 2 OT - 1, we need to 
consider only integers m that are prime. Integers of the form 2 m - 1 have been studied 
in great depth; these integers are named after a French monk of the seventeenth century, 
( , Marin Mersenne , who studied them. 

Definition. If m is a positive integer, then M m = 2 m - 1 is called the mth Mersenne 
number ; if p is prime and M p = 2? — 1 is also prime, then M p is called a Mersenne 
prime. 

Example 7.11. The Mersenne number M 1 = 2 7 — 1 is prime, whereas the Mersenne 
number M n = 2 11 — 1 = 2047 = 23-89 is composite. ◄ 

It is possible to prove various theorems that help decide whether Mersenne numbers 
are prime. One such theorem will now be given. Related results are found in Exercises 
37-39 in Section 1 1.1. 

Theorem 7.12. If p is an odd prime, then any divisor of the Mersenne number M p = 
2^ — 1 is of die form 2 kp + 1, where k is a positive integer. 

Proof. Let q be a prime dividing M p = 2 P — 1. By Fermat’s little theorem, we know 
that q | (2 9-1 — 1). Also, from Lemma 4.3, we know that 

(7.6) (2 p - l ? 2 q ~ l - 1) = 2 (p, * _1) - 1. 

Because q is a common divisor of 2^ — 1 and 2 q ~ l — 1, we know that (2 P — 1, 2 q ~ l — 
1) > 1. Hence, (p, q— 1) = p, becausethe only other possibility, namely, (p, q — 1) = 1, 


MARIN MERSENNE ( 1588 - 1648 ) was bom in Maine, France, into a family 
of worters. He attended the College of Mans and the Jesuit College at La 
Fleche. He continued his education at the Sorbonne, studying theology. He 
joined the order of the Minims in 1611, a group whose name comes from 
the word minimi indicating that the members considered themselves the least 
religious order. Besides prayer, members pursued scholarship and study. In 
1612, Mersenne became a priest at the Palace Royale in Paris; between 1614 
and 1618, he taught philosophy at the Minim Convent in Nevers. He returned 
to Paris in 1619, where his cell in the Minims de l’Annociade was a meeting place for scientists, 
philosophers, and mathematicians, including Fermat and Pascal. Mersenne corresponded extensively 
with scholars throughout Europe, serving as a clearinghouse for new ideas. Mersenne wrote books 
on mechanics, math ematical physics, mathematics, music, and acoustics. He studied prime numbers 
and tried unsuccessfully to develop a formula representing all primes. In 1644, he claimed to have the 
complete list of primes p with p < 257 for which 2 P - 1 is prime; this claim was far from accurate. 
Mersenne is also noted for his defense of two of the most famous men of his time, Descartes and 
Galileo, from religious critics. He also helped expose alchemists and astrologers as frauds. 
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would imply from (7.6) that (2 P — 1, 2 q ~ l - 1) = 1. Hence p \ (q - 1) and, therefore, 
there is a positive integer m such that q — 1 = mp. Because q is odd, we see that m must 
be even, so that m = 2k, where k is a positive integer. Hence, q = mp + 1 = 2 kp + 1. 
Because any divisor of M p is a product of prime divisors of M p , each prime divisor of 
M p is of the form 2 kp + 1, and the product of numbers of this form is also of this form, 
the result follows. ■ 

We can use Theorem 7. 1 2 to help decide whether Mersenne numbers are prime. We 
illustrate this by the following examples. 

Example 7.12. lb decide whether A/ 13 = 2 13 — 1 = 8191 is prime, we need only look 

for a prime factor not exceeding \/8191 = 90.504 Furthermore, by Theorem 7.12, 

any such prime divisor must be of the form 26 k + 1. The only candidates for primes 
dividing M 13 less than or equal to are 53 and 79. Trial division easily rules out 
these cases, so that A/ 13 is prime. ◄ 

Example 7.13. To decide whether A/ 23 = 2 23 - 1 = 8,388,607 is prime, we only 
need to determine whether A/ 23 is divisible by a prime less than or equal to y/M 2 j = 
2896.309 ... of the form 46 k + 1. The first prime of this form is 47. A trial division 
shows that 8,388,607 = 47 • 178,481, so that A/ 23 is composite. ◄ 

Because there are special primality tests for Mersenne numbers, it has been possible 
to determine whether extremely large Mersenne numbers are prime. 

A particularly useful primality test follows, known as the Lucas-Lehmer test after 
(2; Edouard Lucas , who developed the theory the test is based on in the 1870s, and Derrick 

H. Lehmer, who developed a simplified version of the test in 1930. (A version of this test 
that uses elliptic curves, introduced in Chapter 13, was recently developed by Benedict 
Gross.) This test has been used to find the largest known Mersenne primes and is being 
used today in the ongoing search for new Mersenne primes, described later in this section. 
For most of recent history, the largest known Mersenne prime was the largest known 
prime, as is currently the case. However, from late 1990 until early 1992, the largest 


FRANgOIS-EDOUARD-ANATOLE LUCAS (1842-1891) was bom in 
Amiens, France, and was educated at the Ecole Normale. After finishing his 
studies, he worked as an assistant at the Paris Observatory, and during the 
Franco-Prussian war he served as an artillery officer. After the war he became 
a teacher at a secondary school. He was considered to be an excellent and en- 
tertaining teacher. Lucas was extremely fond of calculating and devised plans 
for a computer, which unfortunately were never realized. Besides his contribu- 
tions to number theory, Lucas is also remembered for his work in recreational 
mathematics. The most famous of his contributions in this area is the well-known Tbwer of Hanoi 
problem. A freak accident led to Lucas’s death. He was gashed in the cheek by a piece of a plate that 
was accidentally dropped at a banquet. An infection in the resulting wound Mlled him several days 
later. 
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known prime was 391,581 * 2 216,193 - 1. Because this number is of the form k • 2” - 1, 
it was possible to use special tests to show that it is prime. 

Theorem 7.13. The Lucas-Lehmer Test. Let p be a prime and let M p = 2 P - 1 
denote the pth Mersenne number. Define a sequence of integers recursively by setting 
r\ = 4 and, for k > 2, 

r k = r fc-i — 2 (mod M p ), 0 <r k < M p . 

Then M p is prime if and only if r p _\ = 0 (mod M p ). 

The proof of the Lucas-Lehmer test may be found in [Le80] and [Si64]. We give an 
example to illustrate how the Lucas-Lehmer test is used. 

Example 7.14. Consider die Mersenne number M 5 = 2 5 - 1 = 31. Then r 1 = 4, r 2 = 
4 2 - 2 = 14 (mod 31), r 3 s 14 2 - 2 = 8 (mod 31), and r 4 = 8 2 - 2 = 0 (mod 31). 
Because = 0 (mod 31), we conclude that A/ 5 = 31 is prime. ◄ 

The Lucas-Lehmer test can be performed quite rapidly, as the following corollary 
states. It lets us test whether Mersenne numbers are prime without factoring them and 
makes it possible to determine whether extremely large Mersenne numbers are prime, 
whereas other numbers of similar size that are not of special form are beyond testing. 

Corollary 7.13.2. Let p be prime and let M p = 2 P — 1 denote the pth Mersenne 
number. It is possible to determine whether M p is prime using 0(p 3 ) bit operations. 

Proof. To determine whether M p is prime using the Lucas-Lehmer test requires p — 1 
squarings modulo M p , each requiring 0((log M p ) 2 ) = 0(p 2 ) bit operations. Hence, the 
Lucas-Lehmer test requires 0(p 3 ) bit operations. ■ 

It has been conjectured but not proved that there are infinitely many Mersenne 
primes. However, the search for larger and larger Mersenne primes has been quite 
successful 


DERRICK H. LEHMER (1905-1991) was bom in Berkeley, California. He 
received his undergraduate degree in 1 927 from the University of California and 
his master’s and doctorate degrees from Brown University in 1929 and 1930, 
respectively. He served on the staffs of the California Institute of Technology, 
the Institute for Advanced Study, Lehigh University, and Cambridge University 
before joining the mathematics department at the University of California, 
Berkeley, in 1940. Lehmer made many contributions to number theory. He 
invented many special purpose devices for number theoretic computations, 
some with his father, who was also a mathematician. Lehmer was the thesis advisor of Harold Stark, 
who in turn was the thesis advisor of the author of this book. 





7.3 Perfect Numbers and Mersenne Primes 261 


The Search for Mersenne Primes 

The history of the search for Mersenne primes can be divided into three eras. The first 
began in ancient times and ran until the advent of computers in the 1950s. Before the 
1950s, only 12 Mersenne primes were known, with the largest of these 12 found in 1876. 
Once computers were available, many new Mersenne primes were found, including five 
new ones discovered in just one year, 1952. A total of 22 Mersenne primes were found 
on stand-alone computers from 1952 until 1996, with the largest of these found on the 
most powerful supercomputers of their day. The second era ran until the widespread 
use of the Internet, when the third era began. So far (early 2010), a total of 13 new 
Mersenne primes have been discovered using a distributed computer network enabled 
by the Internet, bringing the current total to 47 known Mersenne primes. We now briefly 
describe some details about the quest for Mersenne primes in each of these three lime 
periods. 

The Precomputer Era In precomputer days, the search was littered with errors and 
unsubstantiated claims, many turning out to be false. By 1588, Pietro Cataldi had verified 
that Myj and M l9 were primes, but he also stated, without any justification, that M p was 
prime for p = 23, 29, 31, and 37 (of these, only Af 31 is prime). In his Cogitata Physica- 
Mathematica, published in 1644, Mersenne claimed (without providing a justification) 
that M p is prime for p = 2, 3, 5, 7, 13, 17, 19, 31, 67, 127, and 257, and for no other 
prime p with p < 257. In 1772, Euler showed that M 31 was prime, using trial division by 
all primes up to 46,337, which is the largest prime not exceeding the square root of Af 31 . 
In 1811, the English mathematician Peter Barlow wrote in his Theory of Numbers that 
A/ 31 would be the greatest Mersenne prime ever found — he thought that no one would 
ever attempt to find a larger Mersenne prime because they are “merely curious, without 
being useful.” This turned out to be a terrible prediction; not only was Barlow wrong 
about people finding new Mersenne primes, but he was wrong about their utility, as our 
subsequent comments will show. 

In 1876, Lucas used the test that he had developed to show that A/ 67 was compos- 
ite without finding a factorization; it took an additional 27 years for M 67 to be factored. 
The American mathematician Frank Cole devoted 20 years of Sunday-aftemoon compu- 
tations to discover that M 67 = 193,707,721 • 761,838,257,287. When he presented this 
result at a meeting of the American Mathematical Society in 1903, writing the factoriza- 
tion on a blackboard and not saying a word, the audience gave him a standing ovation, as 
they understood how much work had been required to find this factorization. The num- 
bers Af 61 , M 89 , M 107 , and M 127 were shown to be prime between 1876 and 1914. But 
it was not until 1947 that the primality of M p for all primes p not exceeding 257 was 
tested, with the help of mechanical calculating machines. When this work was done, it 
was seen that Mersenne had made exactly five mistakes. He was wrong when he stated 
that M 67 and Af 257 are primes, and he failed to include the Mersenne primes M 61 , M 89 , 
and M W7 in his list. 

The Computer Era As we have seen, only 12 Mersenne primes were known before 
the advent of modem computers, the last of which was discovered in 1914. But since 
the invention of computers, new Mersenne primes have been found at a fairly steady 
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rate, averaging about one new Mersenne prime every two years since 1950. The first 
fi ve Mersenne primes found with the help of a computer were the 13th through the 17th 
Mersenne primes. All five were found in 1952 by Raphael Robinson, using SWAC (the 
National Bureau of Standards Western Automatic Computer) with the help of D. H. and 
Emma Lehmer. The 13th and 14th Mersenne primes were found the first day SWAC was 
used to run the Lucas-Lehmer test, and the other three were found in the following nine 
months. Compared to computers today, SWAC was primitive. Its total memory was 1152 
bytes, and half of this was used for the commands that ran the program. It is interesting to 
note that Robinson’s program to implement the Lucas-Lehmer test was the first program 
he ever wrote. 

Riesel found the 18th Mersenne prime using the Swedish BESK computer, Hurwitz 
found the 19th and 20th Mersenne primes using the IBM 7090, and Gillies found the 
21st, 22nd, and 23rd Mersenne primes using the ILLIAC 2. Tuckerman found the 24th 
Mersenne prime using the IBM 360. 

The 25th and 26th Mersenne primes were found by high school students Laura 
Nickel and Landon Noll using idle time on the Cyber 174 computer at California 
State University, Hayward. Nickel and Noll, who were 18 years old at the time, were 
also studying number theory with D. H. Lehmer and CSU professor Dan Jurca. Their 
discoveries were announced on the nightly news shows of major networks around the 
world. Nickel and Noll discovered the 25th Mersenne prime together, while only Noll 
went on to discover the 26th Mersenne prime by himself. 

David Slowinski, working with several different collaborators, discovered the nth 
Mersenne prime for n = 27, 28, 30, 31, 32, 33, and 34 between 1979 and 1996. For 
example, Slowinski and Gage found the Mersenne prime 257 , 787 * a number with 
378,632 digits, in 1996. The proof that this number is prime took approximately six 
hours on a Cray supercomputer. The Mersenne prime that Slowinski missed, the 29th, 
was found by Colquitt and Welsh in 1988 using a NEC SX-2 computer. You may wonder 
how Slowinski overlooked this prime. The reason is that he did not check whether M p 
is prime for consecutive primes, but instead jumped around following hunches about the 
distribution of Mersenne primes, just as many researchers have done. 

The G reat I nternet Prime Search The Internet has become a key factor accelerating 
the discovery of Mersenne primes. Many people are cooperating to find new Mersenne 
primes as part of the Great Internet Mersenne Prime Search (GIMPS), founded by George 
Whitman in 1996. Approximately 40 Teraflops (40 trillion (10 12 ) floating-point opera- 
tions per second) are devoted to GIMPS on PrimeNet, the network linking the distributed 
computers in GIMPS into one virtual supercomputer. This virtual supercomputer is one 
of the most powerful computers in the world, even though most of the individual com- 
puters used are Pentium PCs. 

The 13 largest Mersenne primes known were all found as part of the GIMPS project. 
The first two of these, A/j 398 2 69 and ^ 2 , 976 , 22 1 > were discovered to be prime in 1996 
and 1997, respectively. The Mersenne prime Af 2 , 976 , 221 was shown to be prime using a 
100 MHz Pentium PC using about 15 days of CPU time. In 1998, ^ 3 , 021 , 377 * a number 
with 909,526 decimal digits, was found to be prime. The lucky person who made this 
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No. 

P 

Decimal Digits 

in 

Year 

Discovered 

Discoverer 

1 

2 

1 

ancient times 


2 

3 

1 

ancient times 


3 

5 

2 

ancient times 


4 

7 

3 

ancient times 


5 

13 

4 

1456 

anonymous 

6 

17 

6 

1588 

Cataldi 

7 

19 

6 

1588 

Cataldi 

8 

31 

10 

1772 

Euler 

9 

61 

19 

1883 

Pervushin 

10 

89 

27 

1911 

Powers 

11 

107 

33 

1914 

Powers 

12 

127 

39 

1876 

Lucas 


Table 7.3 Mersenne primes known before computers. 


discovery, Roland Clarkson, was a 19-year-old student at California State University, 
Dominguez Hills. He used a 200 MHz Pentium computer, taking the equivalent of 
about a week of full-time CPU processing, to find this prime. The Mersenne M 69 72 , 593 * 
a number with 2,098,960 decimal digits, was found in 1999 by Nayan Hajratwala, a 
GIMPS participant, using a 350 MHz Pentium computer, using the equivalent of about 
three weeks of uninterrupted processing. 

The Mersenne prime Af 13 466 917 , an integer with 4,053,946 decimal digits, was 
found in 200 1 by a 20-year-old Canadian university student, Michael Cameron. It took 42 
days on an 800 MHz AMD personal computer to show that this number is prime. The next 
largest Mersenne prime is 3 / 20 , 996 , 011 * an integer with 6,320,430 decimal digits, which 
was shown to be prime in 2003 by Michael Shafer, a 26-year-old chemical engineering 
graduate student at Michigan State University. He used a 2.4 GHz Pentium 4 personal 
computer running for 19 days to make this discovery. The Mersenne prime M 2 4 , 036 , 583 * 
an integer with 7,253,733 decimal digits, was shown to be prime in 2004 by Josh Findley. 
He used a 2.4 GHz Pentium 4 PC running for 14 days to prove this. The Mersenne prime 
3^25,964,951* an integer with 7,816,230 decimal digits, was discovered in February 2005 
by Martin Nowak, a German eye surgeon using a 2.4 GHz Pentium 4 PC running for 
more than 50 days. The Mersenne prime M 30 , 402 , 457 * an integer with 9,152,052 decimal 
digits, was shown to be prime in December 2005 by a collaborative effort at Central 
Missouri State University (CMSU) lead by Curtis Cooper and Steven Boone. They ran 
GIMPS software on about 700 campus lab PCs. They found this Mersenne prime on 
a computer in the Department of Communication lab running on and off for around 50 
days. Less than a year later, in September 2006, this same team discovered the Mersenne 
prime 3f 32 ,582,657* an integer with 9,808,358 decimal digits, using a computer in the 
same lab and just a few computers away from the computer that produced their earlier 
discovery. 
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No. 

P 

Decimal Digits 
in M p 

Year 

Discovered 

Discoverer(s) 

Computer Used 

13 

521 

157 

1952 

Robinson 

SWAC 

14 

607 

183 

1952 

Robinson 

SWAC 

15 

1279 

386 

1952 

Robinson 

SWAC 

16 

2203 

664 

1952 

Robinson 

SWAC 

17 

2281 

687 

1952 

Robinson 

SWAC 

18 

3217 

969 

1957 

Riesel 

BESK 

19 

4253 

1281 

1961 

Hurwitz 

IBM 7090 

20 

4423 

1332 

1961 

Hurwitz 

IBM 7090 

21 

9689 

2917 

1963 

Gillies 

TT.T.TAC 2 

22 

9941 

2993 

1963 

Gillies 

ILLIAC2 

23 

11,213 

3376 

1963 

Gillies 

ILLIAC2 

24 

19,937 

6002 

1971 

Tuckerman 

IBM 360/91 

25 

21,701 

6533 

1978 

Noll, Nickel 

Cyber 174 

26 

23,209 

6987 

1979 

Noll 

Cyber 174 

27 

44,497 

13,395 

1979 

Nelson, Slowinski 

Cray 1 

28 

86,243 

25,962 

1983 

Slowinski 

Cray 1 

29 

110,503 

33,265 

1988 

Colquitt, Welsh 

NEC SX-2 

30 

132,049 

39,751 

1983 

Slowinski 

Cray X-MP 

31 

216,091 

65,050 

1985 

Slowinski 

Cray X-MP 

32 

756,839 

227,832 

1992 

Slowinski, Gage 

Cray 2 

33 

859,433 

258,716 

1994 

Slowinski, Gage 

Cray 2 

34 

1,257,787 

378,632 

1996 

Slowinski, Gage 

Cray T94 


Table 7.4 Mersenne primes found using computers but not the Internet. 


Two years after the discoveries at CMSU, GIMPS announced the discovery of 
two more Mersenne primes. The larger, the Mersenne prime M 43 n2 , 609> a number 
with 12,978,189 decimal digits, was discovered first. It was found in August 2008 by 
Edson Smith, a computing manager for the Mathematics Department at UCLA, on a 
2.4 GHz Windows XP computer, one of 75 computers running GIMPS software in a 
computer lab. The smaller of these two Mersenne primes, M 37 1 5 6j667 , discovered in 
September 2008, has 1 1,185,272 decimal digits. It was found by Hans-Michael Elvenich, 
an electrical engineer who works for a chemical company. In April 2009, the Mersenne 
prime M 42 i 643 , 80 b a number with 12,837,064 decimal digits, was found by Odd M. 
Stridmo, a Norwegian IT professional. This Mersenne prime was disovered on a 3.0 
GHz PC; the computer actually discovered the new prime in April 2009, but no person 
noticed this for almost three months! The reader should also note that not all Mersenne 
numbers with exponents between 21,000,000 and 43,1 12,609 have been tested, so that 
there may be one or more undiscovered Mersenne primes in this range. 

The search for new Mersenne primes continues full blast, with approximately 70,000 
people looking for new ones by running GIMPS software on more than a quarter million 
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No. 

P 

Decimal Digits 
in M p 

Year 

Discovered 

Discoverer(s) 

35 

1,398,269 

420,921 

1996 

Armendgaud 

36 

2,976,221 

895,952 

1997 

Spence 

37 

3,021,377 

909,526 

1998 

Clarkson 

38 

6,972,593 

2,098,960 

1999 

Hajratwala 

39 

13,466,917 

4,053,946 

2001 

Cameron 

40 

20,996,011 

6,320,430 

2003 

Shafer 

41 

24,036,583 

7,253,733 

2004 

Findley 

42 

25,964,951 

7,816,230 

2005 

Nowak 

43 

30,402,457 

9,152,052 

2005 

Cooper, Boone 

44 

32,582,657 

9,808,358 

2006 

Cooper, Boone 

45 

37,156,667 

11,185,272 

2008 

Elvenich 

46 

42,643,801 

12,837,064 

2009 

Strindmo 

47 

43,112,609 

12,978,189 

2008 

Smith 


Table 7.5 Mersenne primes found GIMPS over Prime Net. 


computers. GIMPS has been finding new Mersenne primes at what seems to be an 
increasingly rapid pace. The next few years will show whether GIMPS can keep up 
this pace up. (See Tables 7.3, 7.4, and 7.5 for lists of known Mersenne primes divided 
into the era in which they were found, along with information about their discovery.) 

Why do people lookfor Mersenne primes? Many people are devoted to the quest for 
new Mersenne primes. Why do they spend so much time and energy on this task? There 


A Prime Jackpot 

When Nayan Hajratwala found the Mersenne prime 2 6,972,593 — 1, he was the first person 
to find a prime with more than one million decimal digits. This made him eligible for a 
prize of $50,000 from the Electronic Frontier Foundation (EFF), an organization devoted to 
protecting the health and growth of the Internet. Moreover, the discovery of the Mersenne 
prime 4 / 43 , 112,609 qualified for a prize of $100,000 from the EFF because it was the first 
prime found with more than ten million decimal digits. Of this prize money, $50,000 went 
to the UCLA Mathematics Department, $25,000 went to charity, and $25,000 was split up 
with some going to the discoverers of the previous six Mersenne primes found and the rest 
to the GIMPS organization. 

You still have a chance to collect a prize from the EFF by finding large primes. They 
offer prizes of $150,000 and $250,000 for the first discovery of a prime with 100 million 
and 1 billion decimal digits, respectively. An anonymous donor has funded these prizes to 
spur cooperative work on scientific problems that involve massive computation. You still 
will receive a cash prize if you find a new Mersenne prime with fewer than 100 million 
decimal digits; GIMPS will award $3,000 for the discovery of each such prime. 
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are many reasons. The discovery of a new Mersenne prime brings fame and notoriety. 
Some people may be motivated by the recent cash prizes being offered for finding new 
Mersenne primes; other people like to contribute to team efforts. By joining GIMPS 
and PrimeNet, anyone can begin making useful contributions to the search for new 
Mersenne primes. The quest for new Mersenne primes has sparked the development of 
new theoretical results, and this has motivated many people; others are interested in the 
distribution of primes and want evidence to use as the basis for conjectures. Many people 
have used software for the Lucas-Lehmer test to check out new hardware platforms, as 
these programs are CPU and computer bus intensive. For example, the Intel Pentium II 
chip was tested using GIMPS software. Some people would rather have their computer 
look for Mersenne primes during idle time than run a screen-saver. For these and other 
reasons, many people look for Mersenne primes. 

If you catch the bug and become interested in the search for Mersenne primes, you 
should investigate the GIMPS Web site, as well as several other relevant Web sites (links 
for these can be found in Appendix D and on the Web site for this book). At the GIMPS 
site, you can obtain a program for running the Lucas-Lehmer test, and leam how to join 
PrimeNet. The GIMPS program for running the Lucas-Lehmer test has been optimized 
in many ways, so that it runs much more efficiently than a naive implementation of the 
test. You can reserve a particular range of exponents to check. If history is a guide, it 
should not be too much longer before the world’s record for Mersenne (and all) primes 
is smashed. If you join GIMPS, you may be the lucky one to break this record! 

Odd Perfect Numbers 

We have reduced the study of even perfect numbers to the study of Mersenne primes. But 
are there odd perfect numbers? The answer is still unknown. It is possible to demonstrate 
that if they exist, odd perfect numbers must satisfy numerous conditions (see Exercises 
32-36, for example). Much of the work establishing various constraints on odd perfect 
numbers originated with the work of the great English mathematician James Joseph 
Sylvester. In 1 888, he stated that the existence of an odd perfect with “its escape from the 
complex web of conditions which hem it in on all sides would be little short of a miracle.” 
Today, this statement appears to be even more on the mark. As of early 2010, we know 
that there are no odd perfect numbers less than 10 300 , an odd perfect number must have at 
least nine different prime divisors and at least 75 prime divisors counting multiplicities, 
the largest prime factor of the number must be at least 10 8 , the largest exponent in the 
prime-power factorization must be at least 4, the largest prime power must be at least 
10 20 , as well as many other constraints. A discussion of odd perfect numbers may be 
found in [Gu94] or [Ri96], and information about some of the constraints may be found 
in [BrCote93], [Co87], [GoOh08], and [Ha83]. 


7.3 Exercises 

1. Find the six smallest even perfect numbers. 

2. Find the seventh and eighth even perfect numbers. 
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3. Find a factor of each of the following integers. 

a) 2 15 — 1 b) 2 91 — 1 c ) 2 1001 — 1 

4. Find a factor of each of the following integers. 

a) 2 111 — 1 b) 2 289 — 1 c ) 2 46,189 — 1 

If n is a positive integer, we say that n is deficient if a (n) < 2n, and we say that n is abundant if 
a (n) > 2n. Every integer is either deficient, perfect, or abundant. 

5. Find the six smallest abundant positive integers. 

6. Find the smallest odd abundant positive integer. 

7. Show that every prime power is deficient. 

8. Show that any proper divisor of a deficient or perfect number is deficient. 

9. Show that any multiple of an abundant or perfect number, other than the perfect number itself, 
is abundant. 

10. Show that if n = 2 m-1 (2 m — 1), where m is a positive integer such that 2 m — 1 is composite, 
then n is abundant. 

11. Show that there are infinitely many deficient numbers. 

12. Show that there are infinitely many even abundant numbers. 

13. Show that there are infinitely many odd abundant numbers. 

14. Show that if n = p a q b , where p and q are distinct odd primesand a and b are positive integers, 
then n is deficient. 

Two positive integers m and n are called an amicable pair if <r(m) = cr(n) = m + n. 

15. Show that each of the following pairs of integers are amicable pairs. 

a) 220, 284 b) 1 184, 1210 c) 79750, 88730 

16. a) Show that if n is a positive integer with n > 2, such that 3 ■ 2" -1 — 1, 3 • 2" — 1, and 

32 . 2 2n-i ^ all prime, then 2" (3 • 2 n ~ l - 1)(3 • 2" - 1) and 2"(3 2 • 2^~ l - 1) form 

an amicable pair. 

b) Find three amicable pairs using part (a). 

An integer n is called k-perfect if a (n) = kn. Note that a perfect number is 2-perfect. 

17. Show that 120 = 2 3 • 3 • 5 is 3-perfect. 

18. Show that 30,240 = 2 5 • 3 3 ■ 5 • 7 is 4-perfect. 

19. Show that 14,182,439,040 = 2 7 • 3 4 • 5 • 7 • 1 1 2 ■ 17 ■ 19 is 5-perfect. 

20. Find all 3-perfect numbers of the form n = 2 k • 3 ■ p, where p is an odd prime. 

21. Show that if n is 3-perfect and 3 / n, then 3n is 4-perfect. 

An integer n is k-abundant if a (n) > (k + l)n. 

22. Find a 3-abundant integer. 

23. Find a 4-abundant integer. 

24. Show that for each positive integer k there are an infinite number of fc-abundant integers. 
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A positive integer n is called superperfect if a (a (n)) = 2 n. 

25. Show that 16 is superperfect. 

26. Show that if n = 2 q , where 2 q+l - 1 is prime, then n is superperfect. 

27. Show that every even superperfect number is of the form n = 2 q , where 2 q+l - 1 is prime. 

* 28. Show that if n = p 2 , where p is an odd prime, then n is not superperfect. 

29. Use Theorem 7.12 to determine whether each of the following Mersenne numbers is prime, 

a) M 7 b) M n c) M 17 d) M 29 

30. Use the Lucas-Lehmer test, Theorem 7.13, to determine whether each of the following 
Mersenne numbers is prime. 

a) M 3 b )M 7 c) Mu d ) M 13 

* 31. Show that if n is a positive integer and 2n + 1 is prime, then either (2 n + 1) | M n or (2 n + 1) | 

(M„ + 2). (Hint: Use Fermat’s little theorem to show that M n (M n + 2) = 0 (mod 2 n + 1).) 

* 32. a) Show that if n is an odd perfect number, then n = p a m 2 , where p is an odd prime, 

p = a = 1 (mod 4), and m is an integer. 

b) Use part (a) to show that if n is an odd perfect number, then n = 1 (mod 4). 

* 33. Show that if n = p a m 2 is an odd perfect number, where p is prime, then n = p (mod 8). 

* 34. Show that if n is an odd perfect number, then 3, 5, and 7 are not all divisors of n. 

* 35. Show that if n is an odd perfect number, then n has at least three different prime divisors. 

* * 36. Show that if n is an odd perfect number, then n has at least four different prime divisors. 

37. Find all positive integers n such that the product of all divisors of n other than n is exactly 
n 2 . (These integers are multiplicative analogues of perfect numbers.) 

38. Let n be a positive integer. Define the aliquot sequence n h n 2 , n 3 , ... , recursively by 
n 1 =a(n) — n mdn k+3 = cr(n k ) — n k for k = 1, 2, 3, . . . . (The word aliquot is an adjective 
that means “contained an exact number of times in something else.” Archaically, the aliquot 
parts of an integer were the divisors of this integer.) 

a) Show that if n is perfect, then n = n l = n 2 = n 3 = ■ • 

b) Show that if n and m are an amicable pair, then n, = m,n 2 = n,n 3 = m,n 4 = n, ... and 

so on; that is, the sequence n h n 2 , n 3 , . . . is periodic with period 2. 

c) Find the aliquot sequence of integers generated if n = 12,496 = 2 4 • 1 1 • 71. 

Before computers were used to examine the behavior of aliquot sequences, it was conjectured 

that for all integers n the aliquot sequence of integers n h n 2 , n 3 , . . . is bounded. However, 
evidence obtained from calculations with large integers suggests that some of these sequences 
are unbounded. 

* 39. Show that if n is a positive integer greater than 1, then the Mersenne number M n cannot be 

the power of a positive integer. 

40. A double Mersenne number is a Mersenne number of the form M m , where M n is the nth 
Mersenne prime. 

a) Show that if the double Mersenne number M m is prime, then n is prime and M n is prime. 

b) Find all prime double Mersenne numbers with n < 30 with the help of Table 7.3. 
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Computations and Explorations 

1. Verify by direct computation that 2 30 (2 31 - 1) is perfect. 

2. Show that the number 154,345,556,085,770,649,600 is a 6-perfect number (as defined in the 
preamble to Exercise 17). 

3. Show that each of the following pairs of integers is an amicable pair (as defi ned in the preamble 
to Exercise 15). 

a) 609928, 686072 c) 938304290, 1344480478 

b) 643336, 652664 d) 4000783984, 4001351168 

4. Find factors of as many Mersenne numbers of the form M p , where p is prime, as you can, 
using Theorem 7.12. 

5. Verify the primality of as many Mersenne primes as you can, using the Lucas-Lehmer test. 
(You may want to use GIMPS software to do this.) 

6. Join the GIMPS and search for Mersenne primes. 

7. Find all amicable pairs where both integers in the pair are less than 10,000. 

8. Show that the aliquot sequence (as defined in Exercise 38) obtained by taking n = 14,316 is 
periodic with period 28. 

9. Find as many aliquot sequences as you can that are periodic with period 4. 

10. Find the number of terms in the aliquot sequence obtained by taking n = 138 before this 
sequence reaches the integer 1 . What is the largest term of the sequence? Can you answer the 
same question for n = 276? 

Programming Projects 

1. Classify positive integers according to whether they are deficient, perfect, or abundant (see 
the preamble to Exercise 5). 

2. Use Theorem 7.12 to look for factors of Mersenne numbers. 

3. Determine whether the Mersenne number 2 P — 1 is prime, where p is a prime, using the 
Lucas-Lehmer test. 

4. Given a positive integer n , determine if the aliquot sequence defined in Exercise 32 is periodic. 

5. Given a positive integer n, find all amicable pairs of integers a, b, where a < n and b < n 
(see the preamble to Exercise 15). 


7.4 Mobius Inversion 

Let / be an arithmetic function. The formula F(n) = X!d|n /(^) expresses the values 
of F, the summatory function of /, in terms of the values of /. Can this relationship be 
inverted? That is, is there a convenient way to express the values of / in terms of those 
of F? In this section, we will provide a useful formula that does this. We will start with 
some exploration, to help us see what kind of formula might exist. 
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Suppose that / is an arithmetic function and F is its summatory function F(n) = 
J2d\n /(^)- Expanding the definition of F(n) for n = 1, 2, . . . , 8, we see that 

*■(1) = /(l) 

F(2) = /( 1) + / (2) 

F(3) = /( 1) + /(3) 

F(4) = /( 1) + / (2) + / (4) 

F(5) = /(l) + /(5) 

F(6) = /( 1) + / (2) + /(3) + /(6) 

F( 7) = /(l) + / (7) 

F(8) = /(l) + / (2) + / (4) + / (8), 

and so on. When we solve these equations successively for /(n), for n = 1, 2, . . . , 8, 
we find that 

/(l) = F(l) 

/ (2) = F(2) - F(l) 

/(3) = F(3) - F(l) 

/ (4) = F(4) - F(2) 

/( 5) = F(5) - F(l) 

/(6) = F( 6) - F(3) - F(2) + F(l) 

/ (7) = F(7) - F(l) 

/(8) = F( 8) - F(4). 

Note that /(n) equals a sum of terms of the form ±F(n/d), where d \ n. From this 
evidence, it might be fruitful to look for an identity of the form 

fin ) = Fid)F{n/d), 

d\n 

where /jl is an arithmetic function. If this identity holds, our computations imply that 
1) = 1, M(2) = -1, m(3) = -1, fji( 4) = 0, n(5) = -1, ai( 6) = 1, /z(7) = -1, and 
//,( 8) = 0. Furthermore, F(p) = /(l) + f(p ), which implies that /(p) = F(p) - F(l), 
whenever p is prime. This requires that P-(p) = — 1. Moreover, because 

F(p 2 ) = f(i) + f(p) + f(p 2 ), 

we have 

fip 2 ) = ^(^ 2 ) - (^(^) - F(l)) - F(l) = F(p 2 ) - F(p). 

This implies that /jl (p 2 ) = 0 for every prime p . Similar reasoning can be used to show that 
lx (p k ) = 0 for every prime p and integer k > 1. If we conjecture that p, is a multiplicative 
function, the values of p are determined by those at prime powers. This leads to the 
following definition. 

Definition. The Mobius function, p(n), is defined by 
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( 1 if n = 1; 

(— l) r if n = P 1 P 2 • • • p r y where the p, are distinct primes; 

0 otherwise. 

The Mobius function is named after August Ferdinand. Mobius. 

From the definition, we see that pin) = 0 whenever n is divisible by the square of 
a prime. The only values of n for which p (n) 7^ 0 are those n that are square-free. 

Example 7.15. From the definition of pin), we see that p( 1) = 1, pi 2) = -1, pi 3) = 
-1, /t(4) = n(2 2 ) = 0, ,t(5) = -1, H<6) = • 3) = l fi(J) = -1. ft(8) = At(2 3 ) = ft 

/i(9) = n(3 2 ) = 0, and ft(10) = jt(2 • 5) = 1. -< 

Example 7.16. We have /a (330) = p(l • 3 • 5 • 11) = (— l) 4 = 1, pi 660) = 
pi 2 2 • 3 • 5 • 11) = 0, and pi 4290) =pi 2 • 3 • 5 • 11 . 13) = (-1) 5 = -1. ◄ 

We now verify that the Mobius function is multiplicative, proceeding directly from 
its definition. 

Theorem 7.14. The Mobius function pin) is a multiplicative function. 

Proof. Suppose that m and n are relatively prime positive integers. To show that p in) is 
multiplicative requires that we show that pimn) = pim)pin). To establish this equality, 
we first consider the case when m = 1 or n = 1. When m = 1, we see that both pimn) 
and pim)pin) equal pin). The case for n = 1 is similar. 

Now suppose that at least one of m and n is divisible by a square of a prime. Then 
mn is also divisible by the square of a prime. Consequently, pimn) and pirn) pin) are 
both equal to 0. Finally, consider the remaining case when both m and n are square- 
free integers greater than 1. Suppose that m = pip 2 • • • p s , where p\, p 2 , . . • , p s are 
distinct primes, and n = q x q 2 • • • q t , where q it q 2 , . . . , q t are distinct primes. Because 
m and n are relatively prime, no prime occurs in both of the prime factorizations of 


AUGUST FERDINAND M&BIUS (1790-1868) was bom in the town of 
Schulpforta, near Naumburg, Germany. His father was a dancing teacher and 
his mother was a descendant of Martin Luther. Mobius was taught at home until 
he was 13, displaying an interest and talent in mathematics at a young age. He 
received formal training in mathematics from 1803 until 1809, when he entered 
Leipzig University. He intended to study law, but instead decided to concentrate 
on subjects more to his interest — mathematics, physics, and astronomy. After 
pursuing further studies at Gottingen, where he studied astronomy with Gauss, 
and at Halle, where he studied mathematics with Pfaff, he became professor of astronomy at Leipzig, 
remaining there until his death. Mtibius made contributions to a wide range of subjects, including 
astronomy, mechanics, projective geometry, optics, statics, and number theory. Today, he is best 
known for his discovery of a surface with one side, called the Mobius strip, which can be formed 
by taking a strip of paper and connecting two opposite ends after twisting it. 
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m and n. Consequently, mn is the product of s + 1 distinct primes. It follows that 
fiimn) = (-l) s+ ‘ = (— 1)*(— l) f = /u(m)/u(n). ■ 

We will now show that the summatory function of the Mobius function is a partic- 
ularly simple function. 

Theorem 7.15. The summatory function of the Mobius function at the integer n, 
Fin) = Hd\n /*(<*). satisfies 

E ( f 1 if n = 1; 
fi(d)= n ’ 

10 if n > 1. 

d\n 

Proof. First consider the case when n = 1. We have 

F(l) = Fid) = fH) = I- 
d\i 

Next, let n > 1. By Theorem 7.8, because fi is a multiplicative function, its summatory 
function F(n ) = Fid) is also multiplicative. Now, suppose that p is prime and k 
is a positive integer. We see that 

F(p k ) = fiid) = 1) + fi(p) + flip 2 ) + • • • + fi(p k ) 

d \p k =l + (-l)+0 + --- + 0 = 0 

because flip') = 0 whenever i > 2. Finally, suppose that n is a positive integer, n > 
1, with prime-power factorization n = p^p^ • • • p“‘- Because F is multiplicative, it 
follows that Fin) = F ip a f)F ip^) • • • Fip “*). Because each of the factors on the right- 
hand side of this equation is 0, it follows that Fin) = 0. ■ 

The Mobius inversion formula provides an answer to the question posed at the 
beginning of this section. It provides a way to express the values of / in terms of values of 
its summatory function F . This formula is used extensively in the study of multiplicative 
functions and can be used to establish new identities involving these functions. 

Theorem 7.16. The Mobius Inversion Formula. Suppose that / is an arithmetic 
function and that F is the summatory function of /, so that 

Fin) = f(d) 

d\n 

for every positive integer n. Then, for all positive integers n, 

d\n 

Proof. The proof of this formula involves some manipulations of double sums. We 
proceed as follows, starting with the sum on the right-hand side of the formula, substi- 
tuting for F in /d) the expression Jfe\(n/d) /( e )> which comes from the definition of the 
function F as the summatory function of /. We have 
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Y^( d )F(n/d) = Y W(d) Y /(«) 

d\n d\n \ e\ (n/d) 

= E( E '‘WM 

d\n \ e\(n/d) 

Note that the pairs of integers ( d , e) with d \ n and e \ (n/d) are the same as those with 
e | n and d | ( n/e ). It follows that 

E( E mwm) = e( E f^ d > 

d\n \ e\(n/d) / e\n \d\(n/e) 

=Eu« E 

e\n \ d\(n/e) 

Now we see by Theorem 7.15 that Yhd\(n/e) =Ounlessn/e = 1. When n/e = 1, 
that is, when n =e, this sum equals 1. Consequently, 

Y[f( e ) =/(»)' l = /(n). 

e\n \ d\(n/e) f 

This completes the proof. ■ 

The Mobius inversion formula can be used to construct many new identities that 
would be difficult to prove in another manner, as the following example shows. 


Example 7.17. The functions a(n) and r(n) are the summatory functions of the 
functions f(n ) = n and f(n ) = 1, respectively, as noted in Section 7.2. That is, a(n) = 
Yl,d\ n d and t(n) = ^ By the Mobius inversion formula, we can conclude that for 

all integers n, 


and 


n = Y M-( n/d)a(d ) 

d\n 


1 = Y 

d\n 

Proving these two identities directly would be difficult. 


◄ 


By Theorem 7.8, we know that if / is a multiplicative function, then so is its 
summary function, F(n ) = Y!d\n f(d)- Another useful consequence of the Mobius 
inversion formula is that we can turn this statement around. That is, if the summatory 
function F of an arithmetic function / is multiplicative, then so is /. 


Theorem 7.17. Let / be an arithmetic function with summatory function F = 
^2 d \n f(d). Then, if F is multiplicative, / is also multiplicative. 
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Proof. Suppose that m and n are relatively prime positive integers. We want to show 
that f(mn ) = To show this, first note that by Lemma 3.7, if d is a divisor 

of mn, then d = d±d 2 where d\ \m,d 2 \ n, and (d h d 2 ) = 1. Using the Mobius inversion 
formula and the fact that /jl and F are multiplicative, we see that 


f(mn ) = Y ^ d ^ F (~r) 

jU V d > 

= y 

di\m,d 2 \n ' 1 d 


= Y F( d md 2 )F 

d\\m, d 2 \n 

d,\m d 2 \n 


di\\ 

= f (m)f (n) 


(iMi) 
(i) 


7.4 Exercises 

1. Find the following values of the Mobius function. 

a) /x(12) c) /t(30) e) ^(1001) g) ^(10!) 

b) /x(15) d) /Ji (50) f) At(2-3-5-7- 11- 13) 

2 . Find the following values of the Mobius function. 

a) /x(33) c) /x ( 1 1 0) e)^(999) g) /x(10!/(5 !) 2 ) 

b) /x(105) d) //.(740) f) At(3-7- 13- 19-23) 

3. Find the value of /x(n) for each integer n with 100 < n < 110. 

4 . Find the value of /x(n) for each integer n with 1000 < n < 1010. 

5 . Find all integers n, 1 < n < 100 with ix(n) = 1. 

6. Find all composite integers n, 100 < n < 200 with /x(n) = —1. 

The Mertens function M(n ) is defined by M(n) = X!"=i M(0- 

7. Find M(n) for all positive integers not exceeding 10. 

8. Find M(n) for n = 100. 

9. Show that M(n) is the difference between the number of square-free positive integers not 
exceeding n with an even number of prime divisors and those with an odd number of prime 
divisors. 

10 . Show that if n is a positive integer, then /x(n)/x(n + 1 )/x(n + 2)/x(n + 3) = 0. 

11 . Prove or disprove that there are infinitely many positive integers n such that /x(n) + 
M (n + 1) = 0. 

12 . Prove or disprove that there are infinitely many positive integers n such that /i(n — 1) + 
At(n) + At(n + 1) = 0. 
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13. For how many consecutive integers can the Mobius function ii(n) take a nonzero value? 

14. For how many consecutive integers can the Mobius function fi(n) take the value 0? 

15. Show that if n is a positive integer, then (p(n) = n J2d\n d(d)/d. (Hint: Use the Mobius 
inversion formula.) 

16. Use the Mobius inversion formula and the identity n = X!d| „ 0( n /d), demonstrated in Section 
7.1, to show the following. 

a) (p(p ‘) = p‘ — p‘~ r , whenever p is prime and t is a positive integer. 

b) (p(n) is multiplicative. 

17. Suppose that / is a multiplicative function with /(l) = 1. Show that 

J2 = (1 - /(Pi))(! - fM) •■■(!- /(/>*)), 

d\n 

where n = p^p^ 2 ■ ■ ■ P\ is the prime-power factorization of n. 

18. Use Exercise 17 to find a simple formula for J2d\n dp(d) for all positive integers n. 

19. Use Exercise 17 to find a simple formula for Yld\n pW/d for all positive integers n. 

20. Use Exercise 17 to find a simple formula for J^ d \ n P^(d)r(d) for all positive integers n. 

21. Use Exercise 17 to find a simple formula for J2 d \n (4) f° r all positive integers n. 

22. Let n be a positive integer. Show that 

-1 if n is a prime; 

Y[ d(d) = 0 if 7i has a square factor; 

d\ n 1 if 7i is square-free and composite. 


23. Show that 

£> 2 (<i) = 

d\n 

where co(n) denotes the number of distinct prime factors of n. 

24. Use Exercise 23 and the Mobius inversion formula to show that 

M 2 (/>) = X>(d) 

d\n 

25. Show that pt(d)X(d) = 2 a>( - n ^ > for all positive integers n, where coin) is the number of 
distinct prime factors of n. (See the preamble to Exercise 43 in Section 7. 1 for a definition of 
A(ti).) 

26. Show that J2d\n Hn/d) 2 w(d) = 1 for all positive integers n. 

Exercises 27-29 provide a proof of the Mobius inversion formula and Theorem 7.17 using the 
concepts of the Dirichlet product and the Dirichlet inverse, defined in the exercise set of Section 
7.1. 

27. Show that the Mobius function p,(n) is the Dirichlet inverse of the function u(ti) = 1. 

28. Use Exercise 38 in Section 7.1 and Exercise 27 to prove the Mobius inversion formula. 
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29. Prove Theorem 7.17 by noting that if F = / * v, where v = 1 for all positive integers n, then 
f = F*n. 

The Mangoldt function A is defined for all positive integers n by 

A( n ) = { 1°8 P if n = p k , where p is prime and k is a positive integer; 

1 0 otherwise. 

30. Show that J2d\n A(d) = log « whenever n is a positive integer. 

31. Use the Mobius inversion formula and Exercise 30 to show that 

Mn) = -J2v( d ) log d. 

d\n 

32. Find the error in this “proof’ that all perfect numbers are even. “Proof’: If n is even, then 
2 n = J2d\n d- By Mobius inversion, n = J2d\n d( n /d)2d. Because all the terms in the last 
sum are even, it follows that n is even. 

A complex number co is a primitive nth root of unity if of = 1, but co k ^ 1 when 1 < k < n — 1. 
Because e 2ni = 1, it is easy to see that the primitive nth roots of unity are the complex numbers 
where £ = e 2jn / n for l< j < n and (j, n) = 1. The cyclotomic polynomial of order n, denoted 
by 0 „(jc), is the monic polynomial whose roots are the primitive nth roots of unity. That is, 

O(n) = fl i</<» (x ~ S j ). 

o»=i 

33. a) Show that*” — 1 = O^(x) whenever n is a positive integer. 

b) Find O p (x) if p is prime. 

c) Find ® 2 p (x) if p is an odd prime. 

34. Use the Mobius inversion formula to show that 0„(jt) = Y\d\n^ xd ~ \)^ n l d] whenever n is 
a positive integer. (Hint: First take logarithms on both sides of the equation in part (a) of 
Exercise 33.) 

35. Use Exercise 34 to show that the coefficients of O n (jt), the cyclotomic polynomial of order 
n are integers whenever n is a positive integer. 

** 36. Show that if p and q are distinct odd primes, then each coefficient of the cyclotomic 
polynomial of order pq equals -1,0, or 1. 

Computations and Explorations 

1. Find fi(n) for each of the following values of n. 

a) 421,602,180,943 b) 186,728,732,190 c) 737,842,183,177 

2. Find M(n\ the value of the Mertens function at n, for each of the following integers. (See 
the preamble to Exercise 7 for the definition of M(n).) 

a) 1000 b) 10,000 c) 100,000 

3. A famous conjecture made in 1897 by F. Mertens, and disproved in 1985 by A. Odlyzko 
and H. te Riele (in [Odte85]), was that |M(n)| < *Jn for all positive integers n, where M(n ) 
is the Mertens function. Show that this conjecture, called Mertens’ conjecture, is true for all 
integers n for as large a range as you can. Do not expect to find a counterexample, because the 
smallest n for which the conjecture is false is fantastically large. What is known is that there 
is a counterexample less than 3.21 • 10 64 . Before the conjecture was shown to be false, it had 
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been checked by computer for all integers n up to 10 10 . This shows that even a tremendous 
amount of evidence can be misleading, because the smallest counterexample to a conjecture 
can nevertheless be titanically large. 

4. Compute the cyclotomic polynomials of order n (defined in the preamble of Exercise 32) 
for 1 < n < 50. (Many computer algebra systems, such as Maple and Mathematica, have 
commands that find cyclotomic polynomials.) 

5. Find the smallest n for which the cyclotomic polynomial of order n that has a coefficient 
other than 0 or ±1 and the smallest n for which the cyclotomic polynomial of order n has a 
coefficient other than 0, ±1 and ±2. 

Programming Projects 

1. Given a positive integer n, find the value of n(n). 

2. Given a positive integer n, find the value of M(n). 

3. Given a positive integer n, check whether Mertens’ conjecture holds for n, that is, whether 
\M(n)\ = | £" =1 MO I < V«- 

4. Given a positive integer n, compute the cyclotomic polynomial of order n. 


7.5 Partitions 

A partition of a positive integer is a way to express it as a sum of positive integers 
where the order of the terms does not matter. In this section we will study partitions 
using a variety of ideas from number theory and from combinatorics. As such, we 
will be studying an aspect of combinatorial number theory. As you will see, partition 
theory is an amazingly rich area of study with many surprising results. Foremost among 
the many mathematicians who have studied partitions is Leonhard Euler, who made 
fundamental contributions to just about all of its aspects. Remarkably, new discoveries 
about partitions continue to be made today using a wide variety of techniques, many of 
which are elementary. 

We begin with some definitions. 

Definition. A partition of the positive integer n is a way of writing n as the sum 
of positive integers where the order of the integers in the sum does not matter. We 
specify a partition X when we write it as a nonincreasing sequence of positive integers 
(A.J, X 2 , ■ ■ ■ , X r ) such that A-! + X 2 + • • • + X r = n. The integers X h X 2 , • • • , X r are called 
the parts of the partition X. 

Example 7.18. The sequence (3, 1, 1) is a partition of 5 because 3 + 1 + 1 = 5 and 
3 > 1 > 1. The parts of this partition are 3, 1, and 1. Note that the integer 1 occurs twice 
as a part, illustrating that different parts of a partition may be the same. ◄ 

Another way to specify a partition of an integer is to give the number of times 
each integer occurs as a part. That is, we specify a partition of n when we write 
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n = k 1 a 1 + k 2 a 2 H 1- £,a,- H — •, where a h a 2 , . . . are distinct nonnegative integers 

in increasing order. The integer k t is called the frequency of a,-; it tells us how many 
times ai occurs in the partition. For example, 1-4 + 3- 3 + 3- 2 + 2- 1 specifies the 
partition (4, 3, 3, 3, 2, 2, 2, 1, 1), where the frequencies of 4, 3, 2, and 1 are 1, 3, 3, and 
2, respectively. 

We will study arithmetic functions that count a variety of different types of partitions. 
We now introduce the most important of these functions. 

Definition. The number of different partitions of n is denoted by pin). We call pin) the 
partition function. We also define pi 0) = 1, which makes sense because there is exactly 
one partition of the integer 0, the empty partition that has no parts. 

Example 7.19. We have p{ 4) = 5, as there are five partitions of 4, namely, (4), (3, 1), 
(2, 2), (2, 1, 1), and (1, 1, 1, 1). Note that p(T) = 15 because there are 15 different par- 
titions of 7, namely (7), (6, 1), (5, 2), (5, 1, 1), (4, 3), (4, 2, 1), (4, 1, 1, 1), (3, 3, 1), 
(3, 2, 2), (3, 2, 1, 1), (3, 1, 1, 1, 1), (2, 2, 2, 1), (2, 2, 1, 1, 1), (2, 1, 1, 1, 1, 1), and 
( 1 , 1 , 1 , 1 , 1 , 1 , 1 , 1 ). ◄ 

Fortunately to find pin), we do not have to list all partitions of n. Instead, we 
can compute pin) using a recurrence relation proved later in this section (Theo- 
rem 7.25). This recurrence relation has been used to find pin) for n as large as 
25,000,000. It has also been shown that the number of partitions of n grows ex- 
tremely rapidly, as can be seen using the asymptotic formula pin) ~ es- 

tablished in 1918 by Hardy and Ramanujan. (See [An98] for this formula and its 
proof.) This asymptotic formula approximates pin) fairly well; for instance, p(1000) = 
24, 061, 467, 864, 032, 622, 473, 692, 149, 727, 991, while is approxi- 

mately 2.4402 x 10 31 . There is also an explicit formula for pin), found by Rademacher 
in 1937. This formula gives p(n) as the value of a convergent series of terms where 
each terms is quite complicated. Unfortunately, this explicit formula does not provide a 
practical way to compute p(n). 

Restricted Partitions 

The partition function pin) counts all the partitions of n where there are no restrictions 
on the parts other than that they be positive integers. Consequently, pin) is said to count 
the number of unrestricted partitions of n. Next, we will introduce a variety of related 
functions that count restricted partitions, that is, partitions where the parts are subject to 
one or more particular restrictions. The reader should be aware that this notation is not 
standardized; different authors use a variety of notations to represent these functions. 

Definition. Let S be a subset of the set of positive integers and m a positive integer. 
We define 

Ps(n ) = number of partitions of n into parts from S, 
p D in) = number of partitions of n into distinct parts, and 
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p m (n ) = number of partitions of n into parts each > m. 

We combine these notations to further define 

Pg(n) = number of partitions of n into distinct parts from S, 

(n) = number of partitions of n into distinct parts each > m, 

Pm,s( n ) = number of partitions into parts each > m from S, and 
Pm s(n) = number of partitions of n into distinct parts each > m from S. 

We denote the set of odd integers by O and the set of even integers by E. So, with our 
notation, p 0 (n ) denotes the number of partitions of n into odd parts and p £ (n) denotes 
the number of partitions of n into even parts. 

When restrictions different from those covered by these notations arise, we will not 
introduce specific notation to count the partitions subject to these restrictions. Rather, 
we use the more flexible notation pin \ conditions ) to count the partitions of n where the 
parts satisfy the conditions specified, as in pin | no part appears once), pin | every part 
occur an odd number of times), pin | no even part is repeated), and so on. 

Example 7.20. The partitions of 7 were listed in Example 7.19. We have p 0 (7) = 5, 
p D il) = 5, and p 2 ( 7) = 4, because those with odd parts are (7), (5, 1, 1), (3, 3, 1), 
(3, 1, 1, 1, 1), and (1, 1, 1, 1, 1, 1, 1), those with distinctparts are (7), (6, 1), (5, 2), (4, 3), 
and (4, 2, 1), and those with all parts at least two are (7), (5, 2), (4, 3), and (3, 2, 2). 

We see that p® (7) = 1 because there is only one partition of 7 into odd and distinct 
parts, namely, (7). Also, we have pin | no part appears only once) = 2, as (2, 2, 1, 1, 1) 
and (1, 1, 1, 1, 1, 1, 1) are the partitions of 7 where each part appears more than once. 


Ferrers Diagrams 

Next, we describe a useful way to represent partitions graphically using a method devised 

(2/ by Norman Ferrers. To depict the partition n = + X 2 H 1 - X* with Xj > X 2 > • • • > 

X*, we use a diagram with k rows of dots with row j containing X ; dots, and all rows of 
dots left justified. Such a depiction of a partition is called a Ferrers diagram. 

Example 7.21. The Ferrers diagrams for the partitions (5, 2, 1, 1, 1), (4, 4, 2), and 
(3, 3, 3, 1) of 10 are shown in Figure 7.2. ◄ 

We now turn our attention to the partition produced by interchanging the rows and 
columns of the Ferrers diagram of a given partition. 

Definition. Given a partition n = k x + X 2 H b X r with Xj > X 2 > • • • > X r , we 

define a new partition X' = Xj + X.' 2 H b X', the conjugate of X, where k' f equals 

the number of parts of X that are at least i. A partition is self-conjugate if it is its own 
conjugate. 
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Figure 7.2 Fenvrs diagrams for the partitions (5, 2, 1, 1, 1), (4, 4, 2), and (3, 3, 3, 1). 

Example 7.22. Consider the partition A. = (4, 4, 3, 2, 1) of n = 14. All five parts of k 
are at least one, four parts are at least two, three of the parts are at least three, and two 
of the parts are at least four. Hence, k', the conjugate partition of A., is (5, 4, 3, 2). ◄ 

To see why the conjugate k' of k is itself a partition of n, we look at Ferrers diagrams. 
We see that the number of dots in the ith row of the Ferrers diagram of k' equals the 
number of the dots in the ith column of the Ferrers diagram of A., because the number 
of dots in the ith column equals the number of rows with at least i dots. So, the Ferrers 
diagram of A/ can be drawn by exchanging the rows of the Ferrers diagram for A, for its 
columns. (Geometrically, the Ferrers diagram for k' is drawn by reflecting the Ferrers 
diagram for A. across its diagonal beginning at its top left comer.) There are also the same 
number of dots in these two Ferrers diagrams. We also see that the parts of the conjugate 
k' are in nonincreasing order, as when i < j, the number of parts of A. which are at least 
j does not exceed the number of parts which are at least i. 


NORMAN MACLEOD FERRERS (1829-1903), bom in Gloustershire, En- 
gland, was an only child in a prosperous family. His father was a stockbroker 
from London and bis mother came from the Hebrides Islands. Ferrers attended 
Eton from 1844-1846, and from 1846-1847 he was taught by the mathemati- 
cian Harvey Goodwin. In 1847, Ferrers entered Gonville and Caius College at 
Cambridge University. He was a superb mathematics student, ranking at the top 
of his class, and was elected a fellow of his college in 18S2. Later, Ferrer moved 
to London, where he completed studies in law. However, deciding against a ca- 
reer in law, he returned to Cambridge to study for the priesthood. However, he changed direction again 
when his reputation lead to a offer of a position in mathematics and a lifelong career at Cambridge 
University. Ferrers was noted for his vivid exposition; he was praised as the best lecturer in the entire 
university. He was also noted as a university reformer and was appointed Vice-Chancellor of Cam- 
bridge University in 1884. Ferrers married in 1866; he and bis wife, Emily, had five children. He was 
also elected a member of the Royal Society in 1877. 

Ferrers wrote several books and many articles on subjects including Lagrange's equations, 
spherical harmonics, tri linear and quadriplanar coordinates, and hydrodynamics. Ironically, you 
cannot find a discussion of what he is known for today, Ferrers diagrams, in his published works. 
Ferrers introduced these diagrams in his elegant solution of a problem appearing on a 1847 Tripos 
examination question at Cambridge. It is only through the writing of Sylvester that we taiow of Ferrer’s 
fundamental contribution to the study of partitions. Ferrers was grateful that Sylvester credited him 
with his idea and was pleased that his idea turned out so useful in the study of partitions. 




7.5 Partitions 281 


Example 7.23. We display the Ferrers diagrams for the conjugates of the three parti- 
tions in Example 7.21 in Figure 7.3. By interchanging rows and columns, we see that 
the conjugate partition of (5, 2, 1, 1, 1) is itself, showing it is self-conjugate. The conju- 
gates of (4, 4, 2) and (3, 3, 3, 1) are (3, 3, 2, 2) and (4, 3, 3), respectively, so neither is 
self-conjugate. ◄ 


• • • 
• • 

• • 


• • • 

• • • 


Figure 7.3 Ferrers diagram for the conjugates of the partitions in Example 7.21. 

Ferrers diagrams are useful for providing identities between functions counting 
different types of partitions. We illustrate this technique with an example. 

Theorem 7.18. If n is a positive integer, the number of partitions of n with largest part 
r equals the number of partitions of n into r parts. 

Proof. If A, is a partition of n with largest part r, then its Ferrers diagram has exactly 
r columns. To construct the Ferrers diagram of its conjugate A/, we interchange rows 
and columns in the Ferrers diagram. Consequently, the Ferrers diagram of the conjugate 
partition has exactly r rows. This means that it is the Ferrers diagram of a partition 
with exactly r parts. Furthermore, this correspondence can be reversed, as is easily seen. 
Hence, we have a bijection between partitions of n with largest part r and those with 
exactly r parts, completing the proof. ■ 


Using Generating Functions to Study Partitions 

We now introduce generating functions, an important tool for studying properties of 
sequences, especially those that arise in combinatorial problems. The generating function 
of a sequence a n ,n = 0, 1, 2, 3, ... is the power series a n xn - I n this book, we will 
restrict ourselves to working with generating functions as formal power series. That 
is, we will only use generating functions as a way to encode the coefficients of the 
power series, carrying out operations on formal power series using the same techniques 
that we use with polynomials. We will not be concerned with questions involving the 
convergence of these series. We will be able to use generating functions to prove many 
interesting identities about partitions. However, using techniques from analysis (see 
[An98] and [Gr82] ), many deep theorems about partitions can be proved using generating 
functions. 

First, we study the generating function for the number of unrestricted partitions of 
integers. 
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Theorem 7.19. The generating function for p(n) equals 

f>(n)*” = n 

n = 0 7=1 1 * 

Proof. To prove the theorem, we need only show that for all positive integers n, the 
coefficient of x n in the generating function for the infinite product on the right-hand 
side of the equation equals p(n). To see this, first note that for a fixed value of j, the 
generating function of is 1 + x j + x 2j + \- x kj + ■ ■ ■. Consequently, 

00 00 

n i Tr^-n^+' v +-+* w +-)- 

j = i j = i 

When we expand this product, terms of the sum are obtained by selecting for each 
positive integer j one factor of the form x k i and multiplying these terms together. 
Hence, the coefficient of x n in the generating function equals the number of solutions of 
k\d\ + k 2 a 2 + ••• = « where a t is a positive integer for each i , a t aj if i ^ j, and kj is a 
nonnegative integer for all j. As noted previously, there are exactly p(n ) such solutions, 
because there is a one-to-one correspondence between such solutions and partitions of 
n where k t is the frequency of the part a t . This proves the theorem. ■ 

Next, we find the generating function for p D , the number of partitions of an integer 
into distinct parts. 

Theorem 7.20. The generating function for p D equals 


00 00 

Y^P D (n)x n = f|(l + X' / ). 

n =0 7=1 

Proof. Observe that the coefficient of x n equals the number of ways to express x n as 
the product of distinct terms of the form where j is a positive integer. Hence, the 
coefficient of x n in the sum formed by multiplying the factors in the infinite product 
equals the number of ways to write n as the sum of distinct exponents from the set of 
positive integers. It follows that this coefficient is exactly p D (n). This proves the theorem. 


We can easily generalize Theorems 7.19 and 7.20 to restricted partitions of n where 
the parts are restricted to belong to a subset 5 of the set of positive integers. These 
generalizations are given in Theorem 7.21. We leave its proof as an exercise. 

Theorem 7.21. Let 5 be a subset of the set of positive integers. Then the generating 
function for Ps(n), the number of ways that n can be written as the sum of elements of 5, 
and for Pg(n), the number of ways that n can be written as the sum of distinct elements 
of 5, equal 
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00 

n=0 jeS 

00 

^p£(«)x" = ri(l + ^) 

n = 0 jeS 

The next theorem illustrates how generating functions can be used to prove inter- 
esting results about partitions. Recall from Example 7.20 that there are five partitions of 
seven into odd parts and there are also five partitions of seven into distinct parts, that is, 
p 0 (7) = p°(T) = 5. This is no coincidence, as the next theorem shows. 


Theorem 7.22. Euler Parity Theorem. If n is a positive integer, then p 0 (ri) = 
p D (n). That is, there are the same number of partitions of n into odd parts as there 
are partitions of n into distinct parts. 


Proof. We will prove this theorem just as Euler did. We will show that the generating 
functions p 0 (n) and p D (n) really are the same, even though the infinite products that 
represent them look different at first blush. 

By Theorems 7.20 and 7.21, we know that P D ( n ) xn = + x ‘) an d 

Po( n ) xtl = YljeO jzfj = FEi i-^a-i • We will show that these two infinite 
products are equal. To do so, first note that 


n<i+^=n 


1 - X 2 * 

1 - X 1 ' ’ 


because (1 + x')(l — x') = 1 — x 2 '. Next, we observe that 


f \ 1 — X* 1 — X 1 — x 2 1-x 3 


because all terms of the form 1 — x 2 ' can be canceled from the numerator and de- 
nominator of the product. Putting things together, we conclude that + *') = 

We have now shown that the generating functions for p 0 (n) and p D (n) are the same. 
This means that p 0 (n) = P D (n) for every positive integer n. m 


Another way to prove Euler’s parity theorem is to find a bijection between partitions 
of n with odd parts and those with distinct parts. We outline such a proof in Exercise 
32. Although finding a bijection between two sets of partitions provides a great deal 
of insight behind a partition identity, it is often easier to prove such an identity using 
generating functions. In fact, mathematicians often continue to look for bijections to 
explain partition identities that were first proved using generating functions. 
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Euler’s Pentagonal Number Theorem 

We now turn our attention to another discovery about partitions made by Leonhard Euler, 
who uncovered a surprising identity with important consequences. From Theorem 7.20, 
we know that + x l ) = p D (n)x n . What can we say about the related infinite 

product n£i(l-*‘), where the plus sign in each term has been changed to a minus sign? 
What generating function does this infinite product represent? The following theorem 
answers this question. 

Theorem 7.23. We have 

00 OO 

n(i-*‘)=£ V ” 

i = 1 n = 1 

where a n = p(n \ even number of distinct parts) — p(n | odd number of distinct parts). 

Proof. Consider all contributions to the x n term in the generating function when we 
multiply out the infinite product. Each such contribution comes from a partition of n into 
distinct integers and brings a sign of +1 if there are an even number of distinct parts and 
a sign of — 1 if there are an odd number of distinct parts. Hence, the coefficient of x n in 
the generating function is p(n | even number of distinct parts) — p(n | odd number of 
distinct parts). ■ 

What Euler discovered is that there is a simple formula for the coefficients in the 
generating function in Theorem 7.23. 

Theorem 7.24. Euler’s Pentagonal Number Theorem. If n is a positive integer, then 
pin | even number of distinct parts) — p(n | odd number of distinct parts) = (— 1)* if 
n = k(3k ± l)/2 for some positive integer k, and it equals 0 otherwise. Equivalently, 

00 OO OO 

na- l )= £ (-i) n Jc n(3n - 1) / 2 = i+£(-i) n jc n(3n - 1) / 2 d+x n ). 

i=\ n=- oo n = 1 

Remark. Euler used generating functions to prove Theorem 7.24. Instead of that ap- 
proach, we will present a simpler proof discovered in 1881 by Fabian Franklin, a profes- 
sor at Johns Hopkins University. This clever proof is often cited as the first substantial 
contribution of an American mathematician. 

Proof. To prove the theorem, we will set up a correspondence between partitions with 
an even number of distinct parts and those with an odd number of distinct parts. We 
will show that this correspondence is one-to-one except when n = k(3k ± 1) /2 for some 
positive integer k. In these cases, one of the two sets of partitions contains an extra 
partition. 

We use the Ferrers diagram for a partition of n to set up this correspondence. 
Consider two parts of the diagram, the last row with b dots and the diagonal D starting at 
the last dot on the first row (going from the top right toward the bottom left), containing 
k dots. This diagonal is made up of the last dot in all rows starting at the top row that 
contain exactly one fewer dot than the row above it. 
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We now construct a new Ferrers diagram from the Ferrers diagram of our partition. 
When b <k, we move the dots in the last row. We insert one of these dots in each of the 
top b rows. (Note that because b < k, there are at least as many remaining rows as dots 
in the last row.) This produces a diagonal to the right of the diagonal D, and the resulting 
Ferrers diagram represents a partition with distinct parts. When b > k, we move the dots 
in D to form the last row of the new Ferrers diagram. We note that this new row has fewer 
dots than the preceding row. As the reader should verify, each of these two operations 
transforms a partition with an even number of distinct parts into one with an odd number 
of distinct parts, and vice versa. This sets up a one-to-one correspondence. We illustrate 
these transformations in Figure 7.4 


• • • 




b = 2 



rs~~s~~5i 

‘=3 (E 2 ) 


Figure 7.4 Examples of the two cases of ( Franklin’s correspondence) with b <k and b > k, 
respectively. 


The exceptional cases arise when b = k or b = k + 1. In each of these cases, there 
is a partition with distinct parts that cannot be transformed into a second partition where 
the number of parts has opposite parity. These are precisely the two cases where the 
diagonal D and the last row have a common dot. When b = k, the Ferrers diagram has k 
rows, where the bottom rows has k dots, and all other rows have one more dots than the 

one below it, so that n = k + (k + 1) -| b (2k - 1) = Y^=\ j ~ H)=\ j = (2& - 

l)2k/2 — (k — l)k/2 = k(3k — l)/2 (where we have used the formula from Example 
1.19). Similarly, when b = k + 1, the Ferrers diagram has k rows where the bottom 
row has k + 1 dots and all other row have one more dot than the row below it, so that 
n = (k+l) + (k + 2) + --- + 2k = j:f = ij -Z k j= ij=UVk + l)/2-k(k+l)/2 = 
k(3k + l)/2. 

Consequently, when n = k(3k ± l)/2, the difference between the number of par- 
titions with an odd number of distinct parts and the number of partitions with an even 
number of distinct parts equals ( — l) fc . Otherwise, this difference equals 0. ■ 
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The exceptional cases when n = k(3k ± l)/2 for some positive integer k are the 
reason why this theorem is called Euler’s pentagonal number theorem. Recall (from 
Exercise 10 in Section 1.2) that p k = k(3k — l)/2 is the kth pentagonal number that 
counts the number of dots inside « nested pentagons. We extend this sequence to nega- 
tive indices by taking p_ k = —k(—3k — l)/2 = k(3k + l)/2. The terms of the sequence 
p k , k = 0, ±1, ±2, ... are called the generalized pentagonal numbers. So, the excep- 
tional cases of Theorem 7.24 arise precisely when n is a generalized pentagonal number. 

One consequence of Euler’s pentagonal number theorem is an amazing recurrence 
relation for p(n) also discovered by Euler. 

Theorem 7.25. Euler’s Partition Formula. Suppose that n is a positive integer, 
then pin) = pin - 1) + pin - 2) - p(n - 5) - p(n - 7) + p(n - 12) + p(n - 15) - 
• • • + i-lf-\pin - ik(3k - l))/2) + pin - iki3k + l)/2))] + • • -. ■ 

Proof. Using the infinite product expansion p(n)x n = ]~[~i together with 
the identity ["[^(l — x 1 ) = 1 + l) n ;t n(3n_1) / 2 (l + x n ) from Euler’s pentagonal 

number theorem, we see that 


i= 1 1 x 1=1 

oo oo 

= ( Y, P(n)x n )( 1 + X)(-1)^" <3 "‘ 1,/2 (1 + *"))• 

n = 0 n = 1 

We now equate the coefficients of x n of the constant function 1 and the function on the 
last line of this string of equalities to see that for n > 0, 


0 = pin) - pin - 1) - pin -2) + pin - 5) + pin - 7) h 

i-l) k pin - ki3k - l)/2) + i-\) k pin - k(3 k + l)/2) + • • • . 

Solving this last equation for p(n) completes the proof. ■ 

In the late nineteenth century, Percy MacMahon used Euler’s partition formula to 
compute pin) for 1 < n < 200, finding that p(200) = 3,972,999,029,388. Surprisingly, 
Euler’s recurrence relation is the most efficient way known for computing pin). It can 
be shown (see Exercise 38) that this method computes pin) using 0(« 3 / 2 ) operations. 

Ramanujan’s Contributions 

The famous Indian mathematician Srinivasa Ramanujan made many important contri- 
butions to the theory of partitions. We will now briefly describe some of these. 

Among the amazing discoveries made by Ramanujan about partitions are some 
congruences satisfied by values of the partition function. In particular, he showed that 



7.5 Partitions 287 


for all positive integers k, we have 

p(5k + 4) = 0 (mod 5), 
p(Jk + 5) = 0 (mod 7), and 
p(\\k + 6) = 0 (mod 11). 

Elementary proofs of each of three congruences can be found in [An98], but will not be 
given here. 

Congruences of the form p(ak + b) = 0 (mod m), where a, b, and m are positive 
integers, are called Ramanujan congruences. Ramanujan and other mathematicians 
proved congruences of this form when m is a power of 5, 7, 11, or 13. For many years 
it was widely believed that Ramanujan congruences held for no others prime moduli. 
However, in 2000 Kenneth Ono made a surprising discovery when he used the powerful 
theory of modular forms to show that Ramanujan congruences exist modulo p for 
every prime p >5. Soon afterward with Scott Algren, he proved that such congruences 
exist modulo m for every integer m relatively prime to 6. The Ramanujan congruences 
discovered by Ono are much more complicated than those discovered by Ramanujan. 
For instance, Ono’s work shows that 

p(11864749fc + 56062) = 0 (mod 13) and 
p(48037937A: + 1122838) = 0 (mod 17). 

Ramanujan is also known for bringing to light two important partition identities 
originally discovered by the English mathematician Leonard James Rogers in the 1890s, 
little known until Ramanujan rediscovered them. We refer the reader to [An98] for their 
proofs. 

Theorem 7.26. First Rogers-Ramanujan Identity. If n is a positive integer, then the 
number of partitions of n into parts differing by at least 2 equals the number of partitions 
of n into parts congruent to 1 or 4 modulo 5. ■ 

Theorem 7.27. Second Rogers-Ramanujan Identity. If n is a positive integer, then 
the number of partitions of n that have parts that differ by at least 2 and that are at least 
2 equals the number of partitions of n into parts congruent to 2 or 3 modulo 5. ■ 

The Roger-Ramanujan identities have been generalized in many ways. Work on such 
identities continues to be an active area of research. 

In this section, we have only scratched the service of partition theory. Readers who 
want to read more about this fascinating subject can leam more by consulting [AnEr04] 
or [An98], 


7.5 Exercises 

1. By listing all partitions of n, find p{n) when n equals 
a) 2 b) 4 c) 6 d) 9 
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2. By listing all partitions of n, find pin) when n equals each of these values, 

a) 3 b) 5 c) 8 d) 1 1 

3. Use your answer to part (c) of Exercise 1 to find p 0 i6 ), p D i 6), and p 2 (6). 

4. Use your answer to part (c) of Exercise 2 to find p 0 ( 8), p D i 8), and p 2 (8). 

5. Using your answer for part (d) of Exercise 1, find these values. 

a) Po(9) d)p°(9) g)p 2 D (9) 

b) p e (9) e) p 2 (9) h) p 2 0 (9) 

c ) P[m\m=l (mod 3)}(^) ^ ) Po ^ 

6. Using your answer for part (d) of Exercise 2, find these values. 

a) Po(H) d) p D (\\) g) pf (11) 

b) p E (U) e)p 2 ( 11) h)p 30 (ll) 

c) /? {in | M ^l(mod3)}(H) f)Po(H) 

Denote the number of partitions of n into exactly k parts by pin, k). 

7. Show that if n is a positive integer, then Y11=i P( n ’ = P( n )- 

8. Find pi 4, k ) for k= 1, 2, 3, 4 and verify that P(P, k ) = p(4). 

9. Find pi 5, £) for & = 1, 2, 3, 4, 5 and verify that J2l=i P( n > *0 = P(5). 

10. Show that if n is a positive integer, then p(n, &) satisfies the recursive formula p( 1, 1) = 1, 

p(n, = 0 if > n or k = 0, and p(n, k ) = p(n — 1, — 1) + p(n — if n > 2 and 

l<A:<n. 

11. Find a formula for the number of partitions of a positive integer n made up of exactly two 
parts. 

12. Find the conjugate partition of the partition of n consisting of one part, namely, n itself. 

13. Find the conjugate partitions of each of these partitions of 15. Use your result to determine 
whether the partition is self-conjugate. 

a) 6, 4, 2, 2, 1 c) 4, 3, 3, 2, 1, 1, 1 

b) 8, 7 d) 2, 2, 2, 2, 2, 1, 1, 1, 1, 1 

14. Find the conjugate partitions of each of these partitions of 16. Use your result to determine 
whether the partition is self-conjugate. 

a) 5, 4, 2, 2, 2, 1 c) 5, 5, 2, 2, 1, 1 

b) 11, 5 d) 3, 3, 3, 3, 3, 1 

15. Find all self-conjugate partitions of 15. 

16. Find all self-conjugate partitions of 16. 

17. Use Ferrers diagrams to show that pin \ at most m parts) = pin \ no part is greater than m ) 
when n and m are positive integers with 1 < m < n. 

18. Use Ferrers diagrams to show that p D in) = pin \ there are parts of every size from 1 to the 
size of the largest part). 

19. Find an infinite product for the generating function of pin \ parts are distinct powers of 2). 
Use Theorem 2.1 to find the generating function for this infinite product. 
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20. Find an infinite product for the generating function of p^ k | k =\ ( mod 3 )j (n) . Expand this product 
to find p [k | M (mod 3)} (n) for 1 < n < 16. 

21. Find an infinite product for the generating function of p (n | no even part is repeated). Expand 
this product to find pin | no even part is repeated) for 1 < n < 10. 

22. Find an infinite product for the generating function of p(n\ no part appears more than d 
times), where d is a positive integer. Expand this product to find pin | no part appears more 
than 3 times) for 1 < n < 10. 

23. Find an infinite product for the generating function of P{k\dj(k}( n )’ the number of parts of 
n where no part is divisible by d where d is a positive integer. Expand this product to find 
P{*| 4 /*}(«) for 1 < n < 10. 

24. Find an infinite product for the generating function for p(n | for all j, part j occurs fewer 
than j times). Expand this product to find the number of partitions of n where j occurs fewer 
than j times for all j for 1 < n < 10. 

25. Find an infinite product generating function for pin | no part is a perfect square). Expand this 
product to find the number of find the number of partitions of n where no part is a perfect 
square for 1 < n < 10. 

26. Use Exercises 21, 22, and 23 to show that p^ k 1 4 j(k)(n) = pin | no even part is repeated) = 
pin | no part occurs more than three times) for all positive integers n. 

27. Use Exercises 22 and 23 to show that p d {n | no part occurs more than d times) = p ((t | d +i^k\( n ) 
when d is a positive integer. 

28. Use Exercises 24 and 25 to show that pin | for all j, part j occurs fewer than j times) = pin \ 
no part is a perfect square) for all positive integers n. 

29. Show that there are p(n) — pin — 1) partitions of the positive integer n that do not contain 
the integer 1 as a part 

a) using generating functions. b) using a bijection. 

* 30. Use Ferrers diagrams to show that number of self-conjugate partitions of a positive integer n 

equals the number p%(n), the number of partitions of n into distinct odd parts. (Hint: Count 
the dots in the first row or column of the Ferrers diagram of a self-conjugate partition to get 
the first row of the Ferrers diagram for a partition with distinct odd parts). 

31. Prove that P{i](n) = p(n | distinct powers of 2). To set up this bijection, merge pairs of ones 
into twos, pairs of twos into fours, and so on, continuing until all parts are distinct. Explain 
why this proves that every positive integer can be written uniquely as the sum of distinct 
powers of 2. 

* 32. Use a bijection to prove Euler’s parity theorem. (Hint: Starting with a partition with odd parts, 

successively merge parts of equal size until all parts are distinct; for the reverse direction, 
successively split even parts into two smaller parts of the same size.) 

33. Use Exercise 30 to show that p(n) is odd if and only if p^(n), the number of partitions into 
distinct odd parts, is odd. 

34. Show that pin) > p(n — 1) for every positive integer n. (Hint: Use Exercise 29.) 

* 35. Show that pin) < pin — 1) + pin — 2) for all positive integer n> 2, and use this inequality 

to show that pin) < / n+1 (the (n + l)st Fibonacci number). (Hint: Use Exercise 34 and show 
that p(n — 2) < p(n \ no part equals 1).) 

36. Show that if n is a positive integer, then pin) < (p(n — 1) + pin + l))/2. 
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37. Use Euler’s partition formula to find p(n) for all positive integers n with n < 12. 

38. Show that p(h) can be computed using O (n 3 / 2 ) bit operations using Euler’s partition formula. 

39. Prove Theorem 7.21. 

40. Verily the first and second Rogers-Ramanujan identities for n = 9. 

41. Verily the first and second Rogers-Ramanujan identities for n = 1 1. 

* 42. Prove that if n is a positive integer, then p(n) = ^ Ylk= l a p(n — k). (Hint: Take logarithms 
of both sides of the equation in Theorem 7.19, then differentiate.) 


Computations and Explorations 

1. Find p(100). 

2. Find p(500). 

* 3. Use numerical evidence to conjecture a formula for the number of partitions of an integer n 

into exactly three parts. 

4. Verily Ramanujan’s congruences p(5k + 4) = 0 (mod 5), p(lk + 5) = 0 (mod 7), and 
p(\ Ik + 6) = 0 (mod 1 1) for as many positive integers k as you can. 

* 5. Looking at values of p(h) for 1 < n < 1000, find congruences of the form p(5 2 k + b) = 

0 (mod 5 2 ), p(l 2 k + b) = 0 (mod 7 2 ), and p(5 3 k + b) = 0 (mod 5 3 ) that may hold for all 
positive integers k. 

6. Kohlberg has shown that there are infinitely many positive integers n for which p(n) is odd, 
and infinitely many for which p(n) is even. Parkin and Shanks conjectured that the proportion 
of n for which p(n) is even (or odd) approaches 1/2 as n grows. Determine the parity of p(n) 
for as many positive integers as you can to gather evidence for this conjecture. 

7. It is unknown whether there are infinitely many positive integers n for which p(n) is divisible 
by 3. Find as many positive integers n for which 3 divides p(n). 

8. Erdos has conjectured that if m is a positive integer and r is a integer with 0 < r < m , then there 
exists a positive integer n such that p(n) = r (mod m) . Furthermore, Newman has conjectured 
there are infinitely many such n given m and r. Gather as much evidence as you can to support 
these conjectures. 

9. Find as many values of n as you can for which p(n) is a prime. 

10. Investigate how well the Hardy and Ramanujan asymptotic formula approximates p(n) as n 
grows. 

Programming Projects 

1. Given a positive integer n, find p(n) using Euler’s partition formula. 

2. Given a positive integer n, find p D (ri) = p 0 (n). 

3. Given a positive integer n and positive integers m and r with 0 < r <m, find /?$(«), where 
S is the set of integers congruent to r modulo m. 
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8 


H ow can you make a message secret, so that only the intended recipient of the 
message can recover it? This problem has interested people since ancient times, 
especially in diplomacy, military affairs, and commerce. In the modem world, making 
messages secret has become even more important, especially with the advent of elec- 
tronic messaging and the Internet. This chapter is devoted to cryptology, the discipline 
devoted to secrecy systems. We will introduce some of the classical methods for making 
messages secret, starting with methods used in the Roman Empire, 2000 years ago. We 
will describe variations and modifications of these classical methods developed in the 
past two centuries, all based on modular arithmetic, and introduce the basic terminology 
and concepts of cryptology through our study of these methods. In all these classical 
systems, two people who wish to communicate privately must share a common secret 
key. 

Since the 1970s, the notion of public key cryptography has been introduced and 
developed. In public key cryptography, two people who wish to communicate need not 
share a common key; instead, each person has both a private key that only this person 
knows and a public key that everyone taiows. Using a public key system, you can send 
someone a message using their public key so that only that person can recover the 
message, using the corresponding private key. We will introduce the RSA cryptosystem, 
the most commonly used public key cryptosystem, whose security is based on the 
difficulty of factoring integers. We will also study a proposed public key cryptosystem, 
based on the knapsack problem, which (although promising) turned out not to be suitable. 

Finally, we will discuss some cryptographic protocols. These are algorithms used 
to create agreements among two or more parties to achieve some common goal. We 
will show how cryptographic techniques that we have developed can be used to allow 
people to share common encryption keys, to sign electronic messages, to play poker 
electronically, and to share a secret. 


8.1 Character Ciphers 

Some Terminology 

Before discussing specific secrecy systems, we present the basic terminology of secrecy 
systems. The discipline devoted to secrecy systems is called cryptology. Cryptography is 
the part of cryptology that deals with the design and implementation of secrecy systems, 
while cryptanalysis is aimed at “breaking” (defeating) these systems. A message that is 
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to be altered into a secret form is called plaintext. A cipher, or encryption, method is a 
procedure method for altering a plaintext message into ciphertext by changing the letters 
of the plaintext using a transformation. The key determines a particular transformation 
from a set of possible transformations. The process of changing plaintext into ciphertext 
is called encryption, or enciphering, while the reverse process of changing the ciphertext 
back to the plaintext by the intended receiver, who possesses knowledge of the method 
for doing so, is called decryption, or deciphering. This, of course, is different from 
the process that someone other than the intended receiver uses to make the message 
intelligible, through cryptanalysis. 

By a cryptosystem we mean the collection made up of a set of allowable plaintext 
messages, a set of possible ciphertext messages, a set of keys where each key specifies a 
particular encryption function, and the corresponding encryption functions and decryp- 
tion functions. Formally, a cryptosystem is a system that consists of a finite set CP of 
possible plaintext messages, a finite set G of possible ciphertext messages, a key space X 
of possible keys, and for each key k in the keyspace X, an encryption function E k and 
a corresponding decryption function D k , such that D k (E k (x)) = x for every plaintext 
message*. 

The Caesar Cipher 

In this chapter, we present secrecy systems based on modular arithmetic. The first of these 
had its origin with Julius Caesar; the newest systems that we will discuss were invented 
in the late 1970s. In all these systems, we start by translating letters into numbers. We 
take as our standard alphabet the letters of English and translate them into the integers 
from 0 to 25, as shown in Table 8.1. 


Letter 

A 

B 

C 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

Numerical 

Equivalent 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


Table 8.1 The numerical equivalents of letters. 


Of course, if we were sending messages in Russian, Greek, Hebrew, or any other 
language, we would use the appropriate alphabet and range of integers. Also, we may 
want to include all ASCII characters, including punctuation marks, a symbol to indicate 
blanks, and the digits for representing numbers as part of the message. However, for 
the sake of simplicity, we restrict ourselves to the letters of the English alphabet. The 
transformation of letters to numbered equivalents can be done in many other ways 
(including translation to bit strings). Here we have chosen a simple and easily understood 
transformation for simplicity. 

First, we discuss secrecy systems based on transforming each letter of the plaintext 
message into a different letter (or possibly the same) to produce the ciphertext. The en- 
cryption methods in these cryptosystems are called character, or monographic, ciphers, 
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because each character is changed individually to another letter by a substitution. Alto- 
gether, there are 26! possible ways to produce a monographic transformation. We will 
discuss some particular monographic transformations based on modular arithmetic. 

Julius Caesar used a cipher based on the substitution in which each letter is replaced 
by the letter three further down the alphabet, with the last three letters shifted to the first 
three letters of the alphabet. To describe this cipher using modular arithmetic, let P be 
the numerical equivalent of a letter in the plaintext and C be the numerical equivalent of 
the corresponding ciphertext letter. Then 

C = P + 3 (mod 26), 0 < C < 25. 

The correspondence between plaintext and ciphertext is given in Table 8.2. 



A 

B 

C 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

u 

V 

W 

X 

Y 

Z 

Plaintext 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 

0 

1 

2 

Ciphertext 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

A 

B 

C 


Table 8.2 The correspondence of letters for the Caesar cipher. 


To encrypt a message using this transformation, we first change it to its numerical 
equivalent, grouping letters in blocks of five. Then we transform each number. The group- 
ing of letters into blocks helps to prevent successful cryptanalysis based on recognizing 
particular words. We illustrate this procedure in Example 8.1 

Example 8.1. To encrypt the message 

THIS MESSAGE IS TOP SECRET, 
we break it into groups of five letters. The message becomes 
THISM ESSAG EISTO PSECR ET. 

Converting the letters into their numerical equivalents, we obtain 

19 7 8 18 12 4 18 18 0 6 4 8 18 19 14 

15 18 4 2 17 4 19. 

Using the Caesar transformation C = P + 3 (mod 26), this becomes 
22 10 11 21 15 7 21 21 3 9 7 11 21 22 17 

18 21 7 5 20 7 22. 

Translating back to letters, we have 

WKLVP HVVDJ HLVWR SVHFU HW. 


◄ 


This is the encrypted message. 
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The receiver decrypts a message in the following manner. First, the letters are 
converted to numbers. Then, the relationship P = C — 3 (mod 26), 0 < P < 25, is used 
to change the ciphertext back to the numerical version of the plaintext, and finally the 
message is converted to letters. 

We illustrate the deciphering procedure in the following example. 

Example 8.2. To decrypt the message 

WKLVL VKRZZ HGHFL SKHU 

encrypted by the Caesar cipher, we first change these letters into their numerical equiv- 
alents, to obtain 

22 10 11 21 11 21 10 17 25 25 7 6 7 5 11 18 10 7 20. 

Next, we perform the transformation P = C — 3 (mod 26) to change this to plaintext, 
and we obtain 

19 7 8 18 8 18 7 14 22 22 4 3 4 2 8 15 7 4 17. 

We translate this back to letters and recover the plaintext message. 

THISI SHOWW EDECI PHER 

By combining the appropriate letters into words, we find that the message reads 

THIS IS HOW WE DECIPHER M 


Affine Transformation 

The Caesar cipher is one of a family of similar ciphers described by a shift transformation. 
C = P +k (mod 26), 0 < C < 25, 

where k is the key representing the size of the shift of letters in the alphabet There are 
26 different transformations of this type, including the case of k = 0 (mod 26), where 
letters are not altered, because in this case C = P (mod 26). 

More generally, we will consider transformations of the type 
(8.1) C =aP +b (mod 26), 0 < C < 25, 

where a and b are integers with (a, 26) = 1. These are called affine transformations. 
Shift transformations are affine transformations with a = 1. We require that (a, 26) = 1, 
so that as P runs through a complete system of residues modulo 26, C also does. There 
are </>(26) = 12 choices for a, and 26 choices for b, giving a total of 12 • 26 = 312 
transformations of this type (one of these is C = P (mod 26) obtained when a = 1 and 
b = 0). If the relationship between plaintext and ciphertext is described by (8.1), then 
the inverse relationship is given by 

P = a(C — b) (mod 26), 0 < P < 25, 
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where a is an inverse of a (mod 26), which can be found using the congruence a = 
fl 0(26)-i _ ( mo d 26). 

We illustrate how affine transformations work in Example 8.3. 

Example 8.3. Let a = 7 and b = 10 in an affine cipher with C = aP + b (mod 26), so 
that C = IP + 10 (mod 26). Note that P = 15(C - 10) = 15C + 6 (mod 26), because 
15 is an inverse of 7 modulo 26. The correspondence between letters is given in Table 8.3. 



A 

B 

C 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

O 

P 

Q 

R 

s 

T 

U 

V 

W 

X 

Y 

z 

Plaintext 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


10 

17 

24 

5 

12 

19 

0 

7 

14 

21 

2 

9 

16 

23 

4 

11 

18 

25 

6 

13 

20 

1 

8 

15 

22 

3 

Ciphertext 

K 

R 

Y 

F 

M 

T 

A 

H 

O 

V 

C 

J 

Q 

X 

E 

L 

S 

Z 

G 

N 

U 

B 

I 

P 

W 

D 


Table 8.3 The correspondence of letters for the cipher with C = IP + 10 ( mod 26). 


To illustrate how we obtained this correspondence, note that the plaintext letter L 
with numerical equivalent 1 1 corresponds to the ciphertext letter J, because 7-11+10 = 
87 = 9 (mod 26) and 9 is the numerical equivalent of J. 

To illustrate how to encrypt, note that 

PLEASE SEND MONEY 

is transformed to 

LJMKG MGMXF QEXMW. 


Also note that the ciphertext 

FEXEN ZMBMK JNHMG MYZMN 
corresponds to the plaintext 

DONOT REVEA LTHES ECRET, 
or, combining the appropriate letters, 

DO NOT REVEAL THE SECRET. * 

We now discuss some of the techniques directed at the cryptanalysis of ciphers based 
on affine transformations. In attempting to break a monographic cipher, the frequency of 
letters in the ciphertext is compared with the frequency of letters in ordinary text. This 
gives information concerning the correspondence between letters. In various frequency 
counts of English text, one finds the percentages listed in Table 8.4 for the occurrence 
of the 26 letters of the alphabet. Counts of letter frequencies in other languages may be 
found in [Fr78] and [Ku76]. 
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Letter 

A 

B 

C 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

Frequency 
(in %) 

7 

1 

3 

4 

13 

3 

2 

3 

8 

<1 

<1 

4 

3 

8 

7 

3 

<l 

8 

6 

9 

3 

1 

1 

<1 

2 

<1 


Table 8.4 The frequencies of occurrence of the letters of the alphabet. 


From this information, we see that the most frequently occurring letters in typical 
English text are E, T, N, R, I, O, and A, with E occurring substantially more than the 
other letters, 13% of the time, and T, N, R, I, O, and A each occurring between 7% and 
9% of the time. We can use this information to determine which cipher based on an affine 
transformation has been used to encrypt a message. We illustrate how this cryptanalysis 
is done in the following example. 

Example 8.4. Suppose that we know in advance that a shift cipher has been employed 
to encrypt a message; each letter of the message has been transformed by a correspon- 
dence C = P + k (mod 26), 0 < C < 25. To cryptanalyze the ciphertext 

YFXMP CESPZ CJTDF DPQFW QZCPY 

NTASP CTYRX PDDLR PD, 

we first count the number of occurrences of each letter in the ciphertext. This is displayed 
in Table 8.5. 

We notice that the most frequently occurring letter in the ciphertext is P, with the 
letters C, D, F, T, and Y occurring with relatively high frequency. Our initial guess would 
be that P represents E, since E is the most frequently occurring letter in English text. If 
this is so, then 15 = 4 + & (mod 26), so that k = 1 1 (mod 26). Consequently, we would 
have C = P + 11 (mod 26) and P = C — 1 1 (mod 26). This correspondence is given in 
Table 8.6. 


Letter 

A 

B 

c 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

0 

p 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

Number of 
Occurrences 

1 

0 

4 

5 

1 

3 

0 

0 

0 

1 

0 

1 

1 

1 

0 

7 

2 

2 

2 

3 

0 

0 

1 

2 

3 

2 


Table 8.5 The number of occurrences of letters in a ciphertext. 



A 

B 

c 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

Ciphertext 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 

IT 

T 

T 

T 

T 

T 

6 

T 

8 

9 

To 

n 

12 

13 

14 

Plaintext 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

A 

B 

c 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

0 


Table 8.6 Correspondence of letters for the sample ciphertext. 
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Using this correspondence, we attempt to decrypt the message. We obtain 
NUMBE RTHEO RYISU SEFUL FOREN 

CIPHE RINGM ESSAG ES. 

This can easily be read as 

NUMBER THEORY IS USEFUL FOR 
ENCIPHERING MESSAGES. 

Consequently, we made the correct guess. If we had tried this transformation, and instead 
of plaintext, it produced garbled text, we would have tried another likely transformation 
based on the frequency count of letters in the ciphertext. ◄ 


Example 8.5. Suppose we know that an affine transformation of the form C = aP + b 
(mod 26), 0 < C < 25, has been used for encryption. For instance, suppose that we wish 
to cryptanalyze the encrypted message 


u 

s 

L 

E 

L 

J 

U 

T 

C 

c 

Y 

R 

E 

L 

Y 

U 

S 

L 

R 

Y 

X 

D 

J 

U 

Q 

L 

L 

Q 

L 

Y 

X 

S 

R 

V 

L 

B 

R 

Y 

Z 

D 

G 

H 

R 

G 

U 

s 

L 

J 

F 

A 

L 

G 

U 

P 

T 

G 

V 

T 

J 

U 

S 

L 

J 

F 

E 

0 

L 

P 

u. 





T 

P 

S 

U 

R 

K 

L 

T 

Y 

G 

G 

F 

V 

R 

T 

u 

U 

L 

V 

C 

U 

U 

R 

J 

R 

K 

R 

Y 

z 

C 

Y 

R 

E 

K 

L 

V 

E 

X 

B 

L 

L 

M 

L 

Y 

P 

D 

J 

L 

J 

T 

J 

U 

L 

Y 

U 

S 

L 

D 

A 

L 

T 

J 

RW 

U 


The first thing to do is to count the occurrences of each letter; this count is displayed 
in Table 8.7. 


With this information, we guess that the letter L, which is the most frequently 
occurring letter in the ciphertext, corresponds to E, while the letter U, which occurs 
with the second-highest frequency, corresponds to T. This implies, if the transformation 
is of the form C =aP + b (mod 26), the pair of congruences 

Aa + b= \\ (mod 26) 

19a + b = 20 (mod 26). 

By Theorem 4.15 we see that the solution of this system is a = 1 1 (mod 26) and b= 19 
(mod 26). 

If this is the correct enciphering transformation, then using the fact that 19 is an 
inverse of 1 1 modulo 26, the deciphering transformation is 

P = 19 (C - 19) = 19C - 361 = 19C + 3 (mod 26), 0 < P < 25. 


Letter 

A 

B 

C 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

o 

p 

Iq 

R 

S 

T 

U 

V 

W 

*1 

Y 

Z 

Number of 

Occurrences 

2 

2 

4 

4 

5 

3 

6 

1 

0 

10 

3 

22 

1 

0 

1 

4 

2 

12 

7 

8 

16 

5 

1 

3 

10 

2 


Table 8.7 The number of occurrences of letters in a ciphertext. 
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A 

B 

C 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

o 

P 

Q 

R 

s 

T 

U 

V 

W 

X 

Y 

Z 

Ciphertext 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


3 

22 

45 

8 

T 

20 

13 

6 

25 

18 

Jl 

X 

23 

16 

9 

2 

21 

14 

7 

IT 

19 

12 

5 

24 

17 

To 

Plaintext 

D 

W 

P 

I 

B 

U 

N 

G 

Z 

S 

L 

E 

X 

Q 

J 

C 

V 

O 

H 

A 

T 

M 

F 

Y 

R 

K 


Table 8.8 The correspondence of letters for the sample ciphertext. 


This gives the correspondence found in Table 8.8. 


With this correspondence, we try to read the ciphertext, which becomes 


T 

H 

E 

B 

E 

S 

T 

A 

P 

P 

R 

0 

B 

E 

R 

T 

H 

E 

0 

R 

Y 

I 

S 

T 

V 

E 

E 

V 

E 

R 

Y 

H 

OM 

E 

W 

0 

R 

K 

I 

N 

G 

0 

N 

T 

H 

E 

S 

u 

D 

E 

N 

T 

C 

A 

NM 

A 

S 

T 

H 

E 

S 

U 

B 

J 

E 

C 

T. 





ACH 

T 0 L E A 

RNNUM 

OAT 

TEMPT 

T 0 S 0 L 

ORK 

P ROB L 

EMB YW 

E E X 

E RC I S 

E S A S T 

E R T 

HE I D E 

A S 0 F T 


We leave it to the reader to combine the appropriate letters into words to see that the 
message is intelligible. ◄ 


The methods described in this section can be extended to construct cryptosystems 
more difficult to break than character ciphers. For example, plaintext letters can be shifted 
by different amounts, as is done in Vigenere ciphers, described in Section 8.2. Additional 
methods based on enciphering blocks of letters rather than individual characters will also 
be described in Section 8.2 and in subsequent sections of this chapter, as will ciphers 
where the key used to encrypt characters changes from character to character. 


8.1 Exercises 

1. Using the Caesar cipher, encrypt the message ATTACK AT DAWN. 

2. Decrypt the ciphertext message LFDPH LVDZL FRQTX HUHG, which has been encrypted 
using the Caesar cipher. 

3. Encrypt the message SURRENDER IMMEDIATELY using the affine transformation C 
Ilf ( 18 (mod 26). 

4 . Encrypt the message THE RIGHT CHOICE using the affine transformation C = 15P + 14 
(mod 26). 

5 . Decrypt the message YLFQX PCRIT, which was encrypted using the affine transformation 
C = 21P + 5 (mod 26). 

6. Decrypt the message RTOLK TOIK, which was encrypted using the affine transformation 
C = 3P + 24 (mod 26). 

7. If the most common letter in a long ciphertext, encrypted by a shift transformation C = P + k 
(mod 26), is Q, then what is the most likely value of kl 
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8. The message KYVMR CLVFW KYVBV PZJJV MVEKV VE was encrypted using a shift 
transformation C = P + k (mod 26). Use frequencies of letters to determine the value of k. 
What is the plaintext message? 

9. The message IVQLM IQATQ SMIKP QTLVW VMQAJ MBBMZ BPIVG WCZWE 
VNZWU KPQVM AMNWZ BCVMK WWSQM was encrypted using a shift transforma- 
tion C = P + k (mod 26). Use frequencies of letters to determine the value of k. What is the 
plaintext message? 

10. If the two most common letters in a long ciphertext, encrypted by an affine transformation 
C = aP + b (mod 26), are X and Q, respectively, then what are the most likely values for a 
and 6? 

11. If the two most common letters in a long ciphertext, encrypted by an affine transformation 
C = aP + b (mod 26), are W and B, respectively, then what are the most likely values for a 
and 6 ? 

12. The message MJMZK CXUNM GWIRY VCPUW MPRRW GMIOP MSNYS RYRAZ 
PXMCD WPRYE YXD was encrypted using an affine transformation C =aP +b (mod 26). 
Use frequencies of letters to determine the values of a and b. What is the plaintext message? 

13. The message WEZBF TBBNJ THNBT ADZQE TGTYR BZAJN ANOOZ ATWGN ABOVG 
FNWZV A was encrypted using an affine transformation C = aP + b (mod 26). The most 
common letters in the plaintext are A, E, N, and S. What is the plaintext message? 

14. The message PJXFJ SWJNX JMRTJ FVSUJ OOJWF OVAJR WHEOF JRWJO DJFFZ BJF 
was encrypted using an affine transformation C = aP + b (mod 26). Use frequencies of letters 
to determine the values of a and b. What is the plaintext message? 

Given two ciphers, plaintext may be encrypted by first using one of the ciphers, and then using 

the other cipher on this result. This procedure produces a product cipher. 

15. Find the product cipher obtained by using the transformation C = 5P + 13 (mod 26) followed 
by the transformation C = 17 P + 3 (mod 26). 

16. Find the product cipher obtained by using the transformation C =aP + b (mod 26) followed 
by the transformation C = cP + d (mod 26), where (a, 26) = (c, 26) = 1. 

Computations and Explorations 

1. Find the frequency of the letters of the English alphabet in different types of English text, 
such as in this book, in computer programs, and in a novel. 

2. Encrypt some messages using affine transformations, as ciphertexts for your classmates to 
decipher. 

3. Decrypt messages that were enciphered by your classmates using affine transformations, 
using letter-frequency analysis. 

Programming Projects 

1. Given a plaintext message, encrypt it using the Caesar cipher. 

2. Given a plaintext message, encrypt it using the transformation C = P + k (mod 26), where 
k is a given integer. 
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3. Given a plaintext message, encrypt it using the transformation C = a P + b (mod 26), where 
a and b are integers with (a, 26) = 1. 

4. Given a ciphertext message that has been encrypted using the Caesar cipher, decrypt it. 

5. Given a key k and a ciphertext message produced using the cipher C = P +k (mod 26), 
decrypt it. 

6. Given a valid key pair a, b for the affine cipher and a ciphertext message produced by the 
cipher C =aP +b (mod 26), decrypt it. 

* 7. Given ciphertext that was produced using a cipher of the form C = P + k (mod 26), where 

k is an unknown key, find k using frequency counts. 

* 8. Given ciphertext that was produced using a cipher of the form C = aP +b (mod 26), where 

a, bis a. valid key pair for the affine cipher, find a and b using frequency counts. 


8.2 Block and Stream Ciphers 

In Section 8.1, we studied character (or monographic) ciphers based on the substitution 
of characters. These ciphers are vulnerable to cryptanalysis based on the frequency of 
letters in the ciphertext. To avoid this weakness, we can use ciphers that substitute for 
each block of plaintext letters of a specified length a block of ciphertext letters of the 
same length. Ciphers of this sort are called block, or polygraphic, ciphers. In this section, 
we will discuss several varieties of block ciphers, including polygraphic ciphers based 
on modular arithmetic. We will describe a cipher known since the sixteenth century 
that employs several different character ciphers determined by a keyword, and a cipher 
invented by Hill around 1930 (see [Hi31]) that encrypts blocks using modular matrix 
multiplication. We will also discuss (but do not describe in full detail) a more complicated 
block cipher important in commercial use, the Data Encryption Algorithm. At the end 
of this section, we will describe another type of cipher, a stream cipher, where the key 
can change as successive characters (or bits) are encrypted. 

Vigenere Ciphers 

We begin by describing the Vigenere cipher, named for French diplomat and cryptog- 
rapher Blaise de Vigendre. Instead of encrypting each letter of a plaintext message in 
the same way, we will vary how we encrypt letters. The key of a Vigenere cipher con- 
sists of a keyword iyi 2 - . . l n . Suppose that the numerical equivalents of the letters 
l\ y l 2 , ... ,l n are k h k 2 , ... , k n , respectively. To encrypt a plaintext message, we first 
split it into blocks of length n. A block consisting of letters with numerical equivalents 
Pb P2> ■ ■ ■ » Pn i s transformed into a ciphertext block of letters with numerical equiva- 
lents ci, c 2 , ... ,c n using a sequence of shift ciphers with 

Ci = Pi + k t (mod 26), 0 < c f < 25, 

fori = 1,2, ... , n . The Vigen&re ciphers are the encryption algorithms for the cryptosys- 
tem where blocks of plaintext letters of length n are encrypted to blocks of ciphertext 
letters of the same length. The keys are n -tuples (k h k 2 , . . . , k n ) of letters. (A terminal 
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group of fewer than n dummy letters can be used to fill out a final block.) That is, Vi- 
genere ciphers can be thought of as block ciphers operating on blocks of length n using 
keys of length n. 

Example 8.6. To encrypt the plaintext message MILLENNIUM using the key YT- 
WOK for a Vigen&re cipher, we first translate the message and the key into their numerical 
equivalents. The letters of the message and the letters of the key translate to 

P\P2P3PaP5P6PiP*P9P\q = 12 8 11 11 4 13 13 8 20 12 


and 


kfokfaks = 24 19 22 14 10, 

respectively. Applying the Vigenfere cipher with the specified key, we find that the 
characters in the encrypted message are: 

Cl = Pi + ki = 12 + 24 = 10 (mod 26) 
t ’2 = P 2 + *2 = 8 + 19 = 1 (mod 26) 

C 3 = /> 3+*3 = ll + 22 = 7 (mod 26) 
c 4 = P 4 + = 1 1 + 14 = 25 (mod 26) 

c 5 = P5 +* 5 = 4 + 10= 14(mod26) 

^ = ^6 + ^1 = 13 + 24=11 (mod 26) 
c 7 = p 7 + *2 = 13 + 19=6 (mod 26) 
c 8 = Pg + kj = 8 + 22 = 4 (mod 26) 
c 9 = p 9 + k 4 = 20 + 14 = 8 (mod 26) 
cio = Pio + * 5 = 12 + 10 = 22 (mod 26). 


BLAISE DE VIGENERE (1523-1596), bom in the village of Saint-Poursain, 
Fiance, received an excellent education. At 17 he was sent to court, and at 22 to 
the Diet of Worms as a secretary. He became a secretary for the Duke of Nevers 
in 1547, and in 1549 he was sent to Rome as a diplomat. While there, he read 
numerous books on cryptography, a subject that he discussed with experts of the 
papal curia. In 1570, after a long career in diplomacy, interrupted by a period of 
study, Vigenere retired from court. He married a young wife, turned his annuity 
over to the poor of Paris, and dedicated himself to writing. He was the author 
of more than 20 books, the best known being his Traicti des Chiffres, written in 1585. In this book, 
Vigenere provides a comprehensive overview of cryptography. He discusses polyalphabetic ciphers 
at length and introduces several variations of known polyalphabetic ciphers, including the autokey 
cipher. Many historians believe that this cipher should have been called the “Vigenere” rather than 
the simpler one that now bears his name. 

Vigenere did not write only about cryptography. His Traicti des Chiffres also contains discussions 
of magic, alchemy, and the mysteries of the universe. His Traicti des Comites helped destroy the myth 
that God flings comets at Earth to warn people to stop sinning. 
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Translating the numerical equivalents of numbers back to letters we see that the encrypted 
message is KBHZO LGEIW. ◄ 

Example 8.7. To decrypt the ciphertext message FFFLB CVFX encrypted using a 
Vigenere cipher with key ZORRO, we first translate the letters of the ciphertext message 
into their numerical equivalents to obtain cic 2 c 3 c 4 c^c^cjcgcg = 5 55 11 12215 23. 
The numerical equivalents of the letters in the key are k^k 2 k 3 k 4 k 5 = 25 14 17 17 14. To 
obtain the numerical equivalents of the plaintext letters, we proceed as follows: 


p l = c x — ki = 5 — 25 = 6 (mod 26) 

P2 = C 2 ~ k 2 = 5 - 14 = 17 (mod 26) 
p 3 = c 3 - k 3 = 5 - 17 = 14 (mod 26) 
p 4 = c 4 — k 4 = 1 1 — 17 = 20 (mod 26) 
p 5 = c 5 -k 5 = 1 - 14 = 13 (mod 26) 
p 6 = c 6 — = 2 — 25 = 3 (mod 26) 

Pl = c n - k 2 = 21 - 14 = 7 (mod 26) 
p 8 = c 8 - k 3 = 5 - 17 = 14 (mod 26) 
p 9 = eg — k 4 = 23 — 17 = 6 (mod 26). 


Translating the numerical equivalents back to letters, we see that the plaintext message 
was GROUNDHOG. ◄ 

Cryptanalysis of Vigenere Ciphers 

The Vigenere cipher was considered unbreakable for many years. It was used exten- 
sively to encrypt sensitive information transmitted by telegraphy. However, by the mid- 
nineteenth century, techniques were developed that could successfully break Vigenere 
ciphers. In 1863, Friedrich Kasiski, a Prussian military officer, described a method, now 
known as Kasiski’ s test, for determining the key length of a Vigenere cipher. Once the 
key length is known, frequency analysis of letters in the ciphertext can be used to de- 
termine the characters of the key. As with many discoveries named after their presumed 
first inventor, Kasiski was not the first person to discover this method. We now know 
that Charles Babbage discovered the same test in 1854. However, the publication of 
Babbage’s discovery was delayed for many years. The reason for this delay was British 
national security. The British military used Babbage’s test to break secret messages sent 
by their adversaries and did not want this to become known. 

Kasiski’s method is based on finding identical strings in ciphertext. When a message 
is encrypted using a Vigenere cipher with key length n, identical strings of plaintext 
separated by a multiple of n are encrypted to the same string (see Exercise 5). Kasiski’s 
test is based on locating identical strings in the ciphertext, generally of length three 
or more, which likely correspond to identical strings in the plaintext. For each pair of 
identical ciphertext strings, we determine the difference between the positions of their 



8.2 Block and Stream Ciphers 303 


initial characters. Suppose there are k such pairs of identical strings in the ciphertext and 
d h d 2 , d 3 , . . . , d k are the differences in the positions of their initial characters. If these 
pairs of identical ciphertext strings really do correspond to identical plaintext strings, the 
key length n must divide each of the integers d h i — 1, 2, ...,£. It would then follow 
that n divides the greatest common divisor of these integers, (d h d 2 , ... , d k ). 

Because different strings of plaintext may be encrypted to the same ciphertext by 
different parts of the encryption key, some differences in starting positions of identical 
strings of ciphertext are extraneous and should be discarded. To overcome this problem, 
we can compute the greatest common divisor of some, but not all, of these differences. 

We can run a second test to help us assess whether we have found the correct key 
length. This test, developed by the famous American cryptographer William Friedman 
in 1920, estimates the key length of a Vigenere cipher by studying the variation in 
frequencies of ciphertext letters. Friedman observed that there is considerable variation 
in the frequencies of the letters in English text, but as the length of the key used in a 
Vigenere cipher increases, this variation becomes smaller and smaller. 

Friedman introduced a measure called the index of coincidence. Given a string of 
n characters x h x 2 , ... ,x n , its index of coincidence, denoted by IC, is the probability 
that two randomly chosen elements of this string are the same. We now assume that we 
are working with strings of English letters and that the letters A, B, . . . ,Y, and Z occur 
/ 0 , fi, . . . , f 2 4 , and f 2 5 times, respectively, in a string. 

Because the ith letter occurs f times, there are 

ways to choose two of its elements so that both are the ith character. Because there are 
(”) = n(n — l)/2 ways to choose two characters in the string, we can conclude that the 
index of coincidence for this string is 

, r = E | oMfiZl 
«(« - 1) 

Now consider a string of English plaintext. If the plaintext is sufficiently long, we 
expect the frequencies of letters to approximate their frequencies in typical English 
(shown in Table 8.4). Suppose that p Q , p h . . . , p 25 are the expected probabilities of 
A, B, . . . , Y, and Z, respectively. It follows that the probability two randomly chosen 
letters are both A is p q, the probability both are B is p\, and so on. Consequently, we 
would expect the index of coincidence of this plaintext to be approximately 

25 

J2 P 2 ^ 0 065. 

i=0 

(The values p t ,i — 0, 1, ... , 25 used in this computation can be found in [St05].) 
Moreover, this reasoning applies for ciphertext produced by character ciphers. For a 
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character cipher, the probability of occurrence of a character in ciphertext equals the 
probability of occurrence of the corresponding plaintext character. Consequently, for 
ciphertext encrypted with a character cipher, the terms of the sum YfLo pf 316 permuted, 
but the sum is not changed. 

To use indices of coincidence to determine whether we have guessed correctly 
that the key has length k, we break the ciphertext message into k different parts. The 
first part contains characters in positions 1, k + 1, 2k + 1, . . . ; the second part contains 
the characters in positions 2, k + 2, 2k + 2, . . . ; and so on. We compute the index 
of coincidence for each of these different parts separately. If our guess was correct, 
each of these indices of coincidence should be approximately 0.065. However, if we 
guessed wrong, these values will most likely be less than 0.065. They probably will be 
considerably closer to the index of coincidence of a random string of English characters, 
namely 1/26 0.038. (This index of coincidence can be computed using the probabilities 

of occurrence of letters in typical English text.) 

For each part of the ciphertext, we attempt to find the letter of the key that was used to 
encrypt letters in this part by examining letter frequencies. We determine the most likely 
possibilities for the letters of the key by determining the letters that are most frequent in 
the ciphertext and presuming they correspond with the most common letters of English. 
To determine whether we have guessed correctly, we can compare the frequencies we 
expect when letters are encrypted by shifting them using this letter of the key with the 
observed frequencies for this part of the ciphertext. 

Once we have made our best guess for each letter of the key, we attempt to decrypt the 
message using the key we have computed. If we recover a meaningful plaintext message, 
we presume we have recovered the correct plaintext. On the other hand, if we end up 
with nonsense, we go back to the drawing board and check out other possibilities. 

We now illustrate the cryptanalysis of ciphertext encrypted using a Vigenere. 


Example 8.8. Suppose that the ciphertext produced by encrypting plaintext using a 
Vigenere cipher is 


QW 

H 

I 

D 

D 

N 

Z 

EM 

W 

T 

LM 

T 

B K 

T I T 

EMWL 

Z 

WV 

C 

V 

E 
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L 

T 
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T 

U 

D 

L 
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WN 
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L 
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I 

L 

U 

R Y 
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I 

J 

w 

CL 

HWW 

R 

N 

S I 

H 

MN 

U 

D 

I 

Y 

F 

A 

VD 

E 

L 

A 

G 

B 

L S 

NZ A 
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M I 
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E 

M 

WA 

LWL 

C 
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E 

F 

A 

B Y 

J T S 

S 

N 

XL 

H 

YH 

u 

L 

K 

U 

C 

L 

O Z 

z 

A 

J 

H 

I 

HW 

SM. 






We describe the steps we use to break this message. We first use the Kasiski test, 
looking for repeated triples of letters in the ciphertext. We list our finding in a table: 
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Triple Starting positions Differences in starting positions 


EMW 

9, 21, 129 

12, 108, 120 

ZEM 

8, 128 

120 

ZAN 

59, 119 

60 

NZE 

7, 127 

120 

NZA 

58, 118 

60 

LHY 

62, 149 

87 

ALW 

66, 132 

66 


The differences between identical ciphertext blocks of length three are 12, 60, 66, 87, 
108, and 120. Because (12, 60, 66, 87, 108, 120) = 3, we guess that the key length 
equals 3. 

Assuming that this guess is correct, we split the ciphertext into three separate 
parts. The first contains the letters in positions 1, 4, 7, ... , 169; the second contains 
the letters in positions 2, 5, 8, ... , 167; and the third contains the letters in positions, 
3, 6, 9, ... , 168. To confirm that our guess is correct, we compute the indices of 
coincidence for each of these three parts of the ciphertext, obtaining 0.071, 0.109, 
and 0.091, respectively. (We leave the details of these computations to the reader. See 
Exercise 12.) One of these numbers is relatively close to the index of coincidence for 
English text, 0.065, and the other two are even larger. This indicates that 3 might be the 
correct key length. Because our ciphertext is rather short, we are not too worried that 
these indices of coincidence are not as close to 0.065 as we might like. Note that if our 
guess was wrong, we would expect some of these indices of coincidence to be smaller 
than 0.065, perhaps even near 0.038. 

After some work, which we leave to the reader, we find the key used to encrypt the 
message is USA and the corresponding plaintext is 


WE 

H 

O 

L 

D 

T 

H 

E 

S 

E 

T 

R 

U 

T 

H 

S 

T 

O 

B 

E 

S E L 
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I 

D 

E 
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T 

H 

A 
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B 
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RW 

I 

T 
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E 
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L 
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I 
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H 

T 

S 

T 

H 

A 

T 

AMO 
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T 

H 

E 

S 
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A 

R 

E 

L 

I 

F 

E 

L 

I 

B 

E 

R 

T 

Y 

A 

ND T 

H 

E 

P 
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R 

S 

U 
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T 

O 

F 

H 

A 

P 

P 

I 

N 

E 

S 

S. 






This plaintext comes from the Declaration of Independence of the United States. It 
reads: “We hold these truths to be self-evident, that all men are created equal, that 
they are endowed by their Creator with certain unalienable Rights, that among these 
are Life, Liberty, and the pursuit of Happiness.” For more information on cryptanalysis 
of Vigenere ciphers, see [St05] and [TrWa02]. ◄ 
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Hill Ciphers 

Hill ciphers are block ciphers invented by Lester Hill in 1929. To introduce Hill ciphers, 
(2/ we first consider diagraphic ciphers ; in these ciphers, each block of two letters of 
plaintext is replaced by a block of two letters of ciphertext. We illustrate this process 
with an example. 

Example 8.9. To encrypt a message using digraphic Hill ciphers, we first split a 
message into blocks of two letters (adding a dummy letter, say, X, at the end of the 
message, if necessary, so that the final block has two letters). For instance, the message 

THE GOLD IS BURIED IN ORONO 


is split up as 

TH EG OL DI SB UR IE DI NO RO NO. 

Next, these letters are translated into their numerical equivalents (as in previous exam- 
ples) to obtain 

19 7 4 6 14 11 3 8 18 1 20 17 8 4 3 8 

13 14 17 14 13 14. 

Each block of two plaintext numbers P\P 2 is converted into a block of two ciphertext 
numbers C 1 C 2 by defining C\ to be the least nonnegative residue modulo 26 of a linear 
combination of P\ and P 2 , and defining C 2 to be the least nonnegative residue modulo 
26 of a different linear combination of P\ and P 2 . For example, we can let 

^ = 5^+ 17F 2 (mod26), 0 < C x < 26 
C 2 = 4 Pi + 15 P 2 (mod 26), 0 < C 2 < 26, 
in which case the first block 19 7 is converted to 6 25, because 
Ci = 5- 19+ 17-7 = 6 (mod 26) 

C 2 = 4 • 19 + 15 • 7 = 25 (mod 26). 

After performing this operation on the entire message, the following ciphertext is ob- 
tained: 

6 25 18 2 23 13 21 2 3 9 25 23 4 14 21 2 17 2 11 18 17 2. 


LESTER S. HILL (1891-1961) was bom in New York City. He graduated from Columbia 
College, and received bis Ph.D. in mathematics from Yale University in 1926. He held 
positions at the University of Montana, Princeton University, the University of Maine, 
Yale University, and Hunter College. Hill was interested in applications of mathematics 
to communications. He developed methods for checking the accuracy of telegraphed code 
numbers and the encryption method known as the Hill cipher. Hill continued to submit 
cryptographic papers to the United States Navy mostly dealing with polygraphic ciphers 
for more than 30 years. 
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When these blocks are translated into letters, we have the ciphertext message 
GZ SC XN VC DJ ZX EO VC RC LS RC. 

The decryption procedure for this cryptosystem is obtained by using Theorem 4.15. To 
find the plaintext block P\P 2 corresponding to the ciphertext block CiC 2 , we use the 
relationship 

P t = 17Ci + 5 C 2 (mod 26) 

P 2 = 18Cj + 23C 2 (mod 26). 

(The reader should verify that this relationship is implied by Theorem 4.15.) ◄ 

The digraphic cipher system in Example 8.9 is conveniently described using matri- 
ces. For this cryptosystem, we have 

©-(: X;H»- 

By Theorem 4.17, we see that the matrix ^ jg ^ ^ 1S an inverse of ^ ^ ^ modulo 

26. Hence, Theorem 4.16 tells us that decryption can be done using the relationship 

©-CI »)©<“* 

In general, a Hill cryptosystem may be obtained by splitting plaintext into blocks of n 
letters, translating the letters into their numerical equivalents, and forming ciphertext 
using the relationship 


C = AP (mod 26), 


(c) 


(M 

where A is an n x n matrix, (det A, 26) = 1, C = 1 . 2 

and P = 


UJ 


UJ 


CjC 2 ... C n is the ciphertext block that corresponds to the plaintext block P\P 2 . • • P n - 
Finally, the ciphertext numbers are translated back to letters. For decryption, we use 
the matrix A, an inverse of A modulo 26, which may be obtained using Theorem 4.19. 
Because AA = I (mod 26), we have 

AC = A(AP) = (AA)P = P (mod 26). 

Hence, to obtain plaintext from ciphertext, we use the relationship 
P = AC (mod 26). 


Example 8.10. We illustrate this procedure using n = 3 and the encrypting matrix 
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Because det A = 5 (mod 26), we have (det A, 26) = 1. To encrypt a plaintext block of 
length three, we use the relationship 

( Ci \ ( M 

C 2 =A| P 2 I (mod 26). 

\ c 3/ W 

To encrypt the message STOP PAYMENT, we first split the message into blocks of three 
letters, adding a final dummy letter X to fill out the last block. We have plaintext blocks 

STOPPAYMENTX. 

We translate these letters into their numerical equivalents: 

18 19 14 15 15 0 24 12 4 13 19 23. 

We obtain the first block of ciphertext in the following way: 

(CA /II 2 19\/18\ / 8\ 

C 2 = 5 23 25 I 19 = 19 (mod 26). 

\cj \ 20 7 1/ V 14/ V 13/ 

Encrypting the entire plaintext message in the same manner, we obtain the ciphertext 
message 


8 19 13 13 4 15 0 2 22 20 11 0. 

Translating this message into letters, we have our ciphertext message 
ITN NEP ACW ULA. 

The decrypting process for this polygraphic cipher system takes a ciphertext block 
and obtains a plaintext block using the transformation 

( p i\ -( C '\ 

P 2 \= A C 2 (mod 26), 

W \c 3 ) 

where 



is an inverse of A modulo 26, which may be obtained using Theorem 4.19. 

Because polygraphic ciphers operate with blocks, rather than with individual letters, 
they are not vulnerable to cryptanalysis based on letter frequency. However, polygraphic 
ciphers operating with blocks of size n are vulnerable to cryptanalysis based on frequen- 
cies of blocks of size n. For instance, with a digraphic cryptosystem, there are 26 2 = 676 
digraphs, blocks of length two. Studies have been done to compile the relative frequen- 
cies of digraphs in typical English text. By comparing the frequencies of digraphs in the 
ciphertext with the average frequencies of digraphs, it is often possible to successfully 
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attack digraphic ciphers. For example, according to some counts, the most common di- 
graph in English is TH, followed closely by HE. If a Hill digraphic cryptosystem has 
been employed and the most common digraph is KX, followed by VZ, we may guess 
that the ciphertext digraphs KX and VZ correspond to TH and HE, respectively. This 
would mean that the blocks 19 7 and 7 4 are sent to 10 23 and 21 25, respectively. If A 
is the encrypting matrix, this implies that 


Because 


4 

19 



A = 


*o; j)-(s s)«» 

( 19 7\ 

^ ^ I (mod 26), we find that 

/ 10 21 \ / 4 19 \ / 23 17 V 
y 23 25 ) y 19 19 ) = (.21 2 j (mod26) ' 


which gives a possible key. After attempting to decrypt the ciphertext using A = 



to transform it, we would know whether our guess was correct 


◄ 


In general, if we know n correspondences between plaintext blocks of size n 
and ciphertext blocks of size n — for instance, if we know that the ciphertext blocks 
CyC 2 j . . . C n j, j = 1, 2, . . . , n, correspond to the plaintext blocks Py P 2 j . . . P n j, j = 
1, 2, . . . , n, respectively — then we have 

( P A ( C A 

A ; = ; (mod 26), 

\ p nj ) \C n j) 

for j = 1, 2, . . . , n. 

These n congruences can be succinctly expressed using the matrix congruence 
AP = C (mod 26), 

where P and C are n x n matrices with i jth entries P t j and C,-y, respectively. If (det P, 
26) = 1, then we can find the encrypting matrix A via 

A = CP (mod 26), 

where P is an inverse of P modulo 26. 

Cryptanalysis using frequencies of polygraphs is only worthwhile for small values 
of n, where n is the size of the polygraphs. When n = 10, for example, there are 26 10 , 
which is approximately 1.4 x 10 14 , polygraphs of this length. Any analysis of the relative 
frequencies of these polygraphs is extremely infeasible. 


The Data Encryption Standard and Related Ciphers 

The most important cipher that has been used for commercial and government appli- 
cations during the past 20 years is the Data Encryption Algorithm (DEA), which was 
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standardized in 1977 by the federal government as part of the Data Encryption Standard 
(DES) (Federal Information Processing Standard 46-1). It was developed by IBM and 
was known as Lucifer before it became a standard. The DEA is a block cipher that en- 
crypts 64-bit blocks using a 64-bit key (where the last 8 bits of the key are parity check 
bits stripped off before use) transforming them into 64-bit ciphertext blocks. 

The encryption procedure used by the DEA is extremely complicated and will not 
be described in detail here. Basically, a plaintext block of 64 bits is encrypted by first 
permuting the 64 bits, iterating a function that operates on the left and right halves of a 
string of 64 bits in a particular way 16 times, and then applying the inverse of the initial 
permutation. Details of this cipher can be found in [St05] and [MevaVa97], These details 
are easily understandable by anyone of the mathematical maturity of students using this 
text; they are quite lengthy, however. 

The DEA is a symmetric cipher. Both the sender and the receiver of a message must 
know the same secret key, which is used for both encryption and decryption. Distributing 
secure keys for use by the DEA is a difficult problem, which can be addressed using 
public key cryptography (discussed in Section 8.4). 

Although the DEA has not been broken, in the sense that no easy attack on it has 
been found, it is vulnerable to brute-force analysis. An exhaustive search can now check 
all 2 56 possible keys in less than a day. Because of the vulnerability of this algorithm to 
such attacks, the National Institute of Standards and Technology (NIST) decided not to 
certify DES for use after 1998. 

In November 2000, NIST selected a new algorithm called the Advanced Encryption 
Standard (AES) as the official encryption standard for the U.S. government. This en- 
cryption algorithm was developed by two Belgian scientists, Joan Daemen and Vincent 
Rijmen, and is called Rijndael after its creators. The adoption of Rijndael as the Advanced 
Encryption Standard followed three years of competition among many encryption algo- 
rithms submitted as candidates for the standard. The AES algorithm is capable of using 
128-, 192-, and 256-bit symmetric keys to encrypt and decrypt 128-bit blocks. The com- 
plexity of the AES and the size of the keys that it supports should make it resistant to 
brute-force attacks for many years. The U.S. government hopes that AES will remain 
secure for at least 20 years. 


Stream Ciphers 


c 


The methods discussed so far have the property that the same key is used to determine the 
particular encryption transformation that is applied to each character (or block). Once 
a plaintext-ciphertext pair is known, the key can be found. To add additional security, 
we can change the key used to encrypt successive characters. To discuss this type of 
encryption, we must first define some terms. 

A sequence k h k 2 , k 3 , . . . of elements from a keyspace X is called a keystream. The 
encryption function corresponding to the key fc,- is denoted by E k . . A stream cipher is a 
cipher that sends a plaintext siring P 1 P 2 P 3 ■ , using a keystream k h k 2 , k 3 , . . . , to a 
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ciphertext string c } c 2 c 3 . . . , where c t = E k{ (p,).The corresponding decryption fiinction 
is Dj. (c,) = pi, where d t is a decryption key corresponding to the encryption key k,. 

We can generate the keyslream for a stream cipher in different ways. For example, 
we can select the keys at random to construct a keystream, or we can use a key stream 
generator, a function that generates successive keys using an initial sequence of keys (the 
seed), perhaps also using previous plaintext symbols. 

The simplest (nontrivial) stream cipher is the Vemam Cipher, proposed by Gilbert 
Vemam in 1917 for the automatic encryption and decryption of telegraph messages. In 
this stream cipher, the keystream is a bit string k x k 2 . . .k m oi the same length as the 
plaintext message, which is a bit string p\p 2 . . . p m . Plaintext bits are encrypted using 
the map 


Ek { (Pi)=ki + Pi (mod 2). 

Exactly two different encryption maps are used in a Vemam cipher. When k t = 0, E kj is 
the identity map that sends 0 to 0 and 1 to 1. When kj = 1, E k{ is the map that sends 0 to 
1 and 1 to 0. The corresponding decryption transformation D d . is identical to E kj . 

Example 8.11. When we encrypt the plaintext bit string 01111 01 11 using a Vemam 
cipher with keyslream 1 1000 1 1 1 1, we obtain the bit string 1 01 1 1 1000, where each bit 
is obtained by adding corresponding bits of the plaintext and the keystream. Decrypting 
this just requires that we repeat the operation. ◄ 

Keystreams in the Vemam cipher should be used only once (see Exercise 38). When 
the keystream of a Vemam cipher is chosen at random and is used to encrypt exactly 
one plaintext message, it is called a one-time pad. It can be shown that a one-time pad is 
unbreakable, in the sense that someone with a ciphertext string encrypted using a random 
keystream used only once can do no better than to simply guess at the plaintext string. 
The problem with the Vemam cipher is that the keystream must be at least as long as 
the plaintext message, and must be transmitted securely between two parties who want 
to use a one-time pad. Consequently, the one-time pad is not used except for extremely 
sensitive communications, mostly of a diplomatic or military nature. 


GILBERT S. VERNAM (1890-1960) was bom in Brooklyn, New York. After 
graduating from Worcester Polytechnic Institute, he took a job at AT&T. He 
was able to visualize electrical circuits without actually implementing them. 
He was noted for bis cleverness; one story quotes him as asking “What can 
I invent now?” each evening while stretched out on his couch. At AT&T, he 
developed a method to make transmission via the teletypewriter, the first system 
that automated cryptology, secure. At AT&T, he also developed a technique 
for encrypted digital images. Vemam also held positions with the International 
Communications Laboratories and the Postal Telegraph Cable Company. He was granted 65 patents 
for bis inventions in cryptography and in telegraph switching systems. 
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We will describe another stream cipher, the autokey cipher invented by Vigenere 
in the sixteenth century. The autokey cipher uses an initial seed key, which is a single 
character; subsequent keys are plaintext characters. In particular, the autokey cipher 
shifts each plaintext character, other than the first character, the numerical equivalent 
of the previous character modulo 26; it shifts the first character the numerical equivalent 
of the seed character modulo 26. That is, the autokey cipher encrypts a character p t 
according to the transformation 


Cj = pi + k t (mod 26), 

where p t is the numerical equivalent of the ith plaintext character, Cj is the numerical 
equivalent of the ith ciphertext character, and k n the numerical equivalent of the ith 
character of the key stream, is given by k x = s, where s is the numerical equivalent of the 
seed character and k t = p i _ 1 for i > 2. 

To decrypt a message encrypted with the autokey cipher, we need to know the seed. 
We subtract the seed from the first ciphertext character modulo 26 to determine the 
first plaintext character, and then we subtract the numerical equivalent of each plaintext 
character modulo 26 from the next ciphertext character to obtain the next plaintext 
character. 

We illustrate how to encrypt and decrypt using the autokey cipher in the following 
examples. 

Example 8.12. To encrypt the plaintext message HERMIT using the autokey cipher 
with seed X (with numerical equivalent 23), we first translate the letters of HERMIT 
into their numerical equivalents to obtain 7 4 17 12 8 19. The keystream consists of the 
numbers 23 74 17 128. The numerical equivalents of the characters in the ciphertext 
message are 

Pi + ki = 7 + 23 = 4 (mod 26) 
p 2 -\- k 2 = A -\-l = 11 (mod 26) 
p 3 + k 3 = 17 + 4 = 21 (mod 26) 

P 4 + k 4 = 12 + 17 = 3 (mod 26) 
p 5 + £ 5 = 8 + 12 = 20 (mod 26) 

Pg + kfi = 19 + 8=1 (mod 26). 

Translating back to letters, we see that the ciphertext is ELVDUB. ◄ 

Example 8.13. To decrypt the ciphertext message RMNTU encrypted using the au- 
tokey cipher with seed F, we first translate the characters of the ciphertext into their 
numerical equivalents to obtain 17 12 13 19 20. We obtain the numerical equivalent of 
the first plaintext character by computing 

Pi = ci — s = 17 — 5 = 12 (mod 26). 

We obtain the numerical equivalent of successive plaintext characters as follows: 
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Pi =c 2 P\ = 12 12 = 0 (mod 26) 

P3 = c 3 - Pi = 13 - o = 13 (mod 26) 

Pa = c 4 — = 19 - 13 = 6 (mod 26) 

p 5 = c 5 - p 4 = 20 - 6 = 14 (mod 26). 

Translating these numerical equivalents back to letters, we find that the plaintext message 
was MANGO. ◄ 

We have only briefly touched the surface of the deep subject of stream ciphers. For 
more information about them, including descriptions of stream ciphers used in practice, 
consult [MevaVa97]. 


8.2 Exercises 

1. Use the Vigenere cipher with encrypting key SECRET to encrypt the message 
DO NOT OPEN THIS ENVELOPE. 


2. Decrypt the following message, which was enciphered using the Vigenere cipher with en- 
crypting key SECRET: 


WBRCS LAZGJ MGKMF V. 


3. Use the Vigenere cipher with encrypting key TWAIN to encrypt the message 

AN ENGLISHMAN IS A PERSON WHO DOES THINGS BECAUSE THEY HAVE BEEN 
DONE BEFORE. AN AMERICAN IS A PERSON WHO DOES THINGS BECAUSE THEY 
HAVE NOT BEEN DONE BEFORE. 

4. Decrypt the following message, which was enciphered using the Vigenere cipher with en- 
crypting key TWAIN. 
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5. Suppose a plaintext message is encrypted using a Vigenere cipher. Show that identical strings 
of characters separated by a multiple of the key length are encrypted to the same string of 
ciphertext characters. 


In Exercises 6-11, use the procedure described in the text to cryptanalyze the given ciphertext, 
which was encrypted using a Vigenere cipher. 
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6 . 


7 . 


9 . 


10 . 


U C Y F C 
GQ J C K 
B NKWE 
B F O P K 


KM K R E 
Q S L E H 
XMVO F 
C P WQW 
RWB X Z 
S R E D K 
F I J Q G 


S I I WZ 
R L A C T 
P Q P E L 
GWP B W 
S UD I J 
P P X S Q 


J WE F F 

V D B T P 

V L X I J 
HO I E G 
U Q E J V 

V T H U P 
E B F X R 


P D J V J 
A J Z P Z 
YX S MW 
I J WZ E 
L AH I Y 
P D S F S 
Y L PM S 
WZ N F V 
L L I WE 
KQMX J 


O O C Q U 
X V B U V 
H L T I C 
P P T L V 


C CWS P 
N V WAM 
E L R LW 
G LWL F 
C L S P H 
MK R E C 
S L P WY 


F D I B N 
WX B I M 
V P Z YD 
I WO F O 
J X F N R 
I 


P R G B A 
F XML V 
K PMZ Q 
J N VOU 
Q J K F L 
RW JAY 
XMMK L 


L F C J W 
DWEMU 
I H Q Q P 
YM A I C 
L N R RM 
S S H G T 
H Z N Y L 
Q Z T Q O 
WY L P R 


C Y F H E 
B S H F T 
G S OU V 
HOB UB 


I S N E J 
S R I QM 
WE J C T 
E L A E F 
O Y CML 
C A Z GG 
V F D V G 


HUD E U 
MHM P J 
A X I A G 
T F WV F 
F P A F G 


GD S Z F 
U GW I D 
H Q E DW 
B YDUQ 
S B U P R 
R V T U K 
DWL O E 


Z Q L G R 
Q L GG I 
D B W I E 
T J R R B 
A I C Q R 
YHQQ P 
P R T Y C 
QX G Z C 
T C L V I 


B H F T H 
B L C Z B 
B T Z F O 
P I P G C 


R S X Z I 
Y J KM K 
J C G AM 
MR DWF 
P WQWA 
Z YXD C 
K 


WQ J H P 
O F U F P 
P I T M A 
J S X P L 
R P S X I 


Z B T Z J 
NWD H O 
Q C O B O 
ND T U F 
WD Q I F 
B D V E F 
P R Y F E 


E VMU V 
Q Z ZME 
KM S F B 
M I Y Q S 
T CWAM 
YM A I C 
V J CMC 
WE R Q S 
K WWW C 


E F E R F 
S WKU V 
U P B B A 
OU I K F 


A L K Z S 
R E C CW 
Y K J MX 
W J I S P 
RMK Y J 
E KR S L 


J KRNK 
WV E O G 
X F S S S 
B J O T P 
WX J O R 


I B L S P 
B NK J T 

V J B Z U 
U F L Z V 

V U J WB 
ME E Z I 
F UO 


Z OW I D 
N Z P J M 
G I QWW 
K P D J V 
YOU E E 
O J X EW 
YX S Q X 
KZ VQ C 
Z N Y L P 
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11. T U Z T U 

WF GC G 

L HG T F 

GMKG R 

F I A S R 

KWKR R 

D A AGU 

WD G T Q 

GE YNB 

L I S P Y 

Q TN AG 

S L RWU 

G AX E Y 

S UMH R 

V A Z A E 

WGKN V 

MS K S G 

Z E E L N 

MGN E Q 

S T I O Y 

MM H U F 

L HK Y Y 

S UMH R 

V A Z F H 

D T UNG 

Z E E L N 

MGN E Q 

S T Z HR 

O R O GU 

L B XOG 

Z E X S O 

MT Z HR 

Q A R S B 

DA AGU 

WD G T O 

G Z U T U 

WC R O J 

F 




12. Show how we find that the correct key in Example 8.8 is USA once we know the key has 
length three. 

13. Using the digraphic cipher that sends the plaintext block P\P 2 to the ciphertext block C\C 2 , 
with 

Ci = 3 Pj + 10P 2 (mod 26) 

C 2 = 9 Pi + 1P 2 (mod 26), 

encrypt the message BEWARE OF THE MESSENGER. 

14. Using the digraphic cipher that sends the plaintext block P^P 2 to the ciphertext block C t C 2 , 
with 

Ci = 8 P x + 9 P 2 (mod 26) 

C 2 = 3Pj+ 11P 2 (mod 26), 
encrypt the message DO NOT SHOOT THE MESSENGER. 

15. Decrypt the ciphertext message RD SR QO VU QB CZ AN QW RD DS AK OB, which was 
encrypted using the digraphic cipher that sends the plaintext block P X P 2 into the ciphertext 
block CjC 2 , with 

Ci = 13Pj + 4 P 2 (mod 26) 

C 2 = 9P 1 + P 2 (mod 26). 


16. Decrypt the ciphertext message UW DM NK QB EK, which was encrypted using the 
digraphic cipher that sends the plaintext block P X P 2 into the ciphertext block C 1 C 2 , with 

Ci = 23 P x + 3 P 2 (mod 26) 

C 2 = 10 P x + 25 P 2 (mod 26). 

17. A cryptanalyst has determined that the two most common digraphs in a ciphertext message are 
RH and NI, and guesses that these ciphertext digraphs correspond to the two most common 
diagraphs in English text, TH and HE. If the plaintext was encrypted using a Hill digraphic 
cipher described by 

C\ = a Pi + bP 2 (mod 26) 

C 2 = cPi + dP 2 (mod 26), 

what are a, b, c, and dl 

18. How many pairs of letters remain unchanged when encryption is performed using each of the 
following digraphic ciphers? 
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a) C l = AP X + 5P 2 (mod 26) c) C l = 3P 1 + 5P 2 (mod 26) 

C 2 = 3 P l + P 2 (mod 26) C 2 = 6 P l + 3 P 2 (mod 26) 

b) Cj = 7Pj + 17/> 2 (mod 26) 

C 2 = Pi + 6P 2 (mod 26) 

Show that if the encrypting matrix A in the Hill cipher system is involutory modulo 26, that 
is, A 2 = I (mod 26), then A also serves as a decrypting matrix for this cipher system. 

A cryptanalyst has determined that the three most common trigraphs (blocks of length 
three) in a ciphertext are LME, WRI, and ZYC, and guesses that these ciphertext trigraphs 
correspond to the three most common trigraphs in English text, THE, AND, and THA. If the 
plaintext was encrypted using a Hill trigraphic cipher described by C = AP (mod 26), what 
are the entries of the 3 x 3 encrypting matrix A? 


Find the product cipher obtained by using the digraphic Hill cipher with encrypting matrix 


0 

(» 




followed by using on the result the digraphic Hill cipher with encrypting matrix 


Show that the product cipher obtained from two digraphic Hill ciphers is again a digraphic 
Hill cipher. 


Show that the product cipher obtained by encrypting first using a Hill cipher with blocks of 
size m and then using a Hill cipher with blocks of size n is again a Hill cipher that uses blocks 
of size [ m , ri\. 


Find the 6 x 6 encrypting matrix corresponding to the product cipher obtained by first using 
the Hill cipher with encrypting matrix ^ ^ j ^ > followed by using the Hill cipher with 

/ 1 1 °\ 

encrypting matrix (1 0 11. 

\0 1 1 / 


In transposition cipher, blocks of a specified size are encrypted by permuting their characters 
in a specified manner. For instance, plaintext blocks of length five, PiP 2 P 2 P 4 P 5 , may be sent 
to ciphertext blocks C 1 C 2 C 3 C 4 C 5 = P 4 P 5 P 2 P l P 2 . Show that every such transposition cipher 
is a Hill cipher with an encrypting matrix that contains only Os and Is as entries, with the 
property that each row and each column contains exactly one 1 . 


H i ll ciphers are special cases of block ciphers based on affine transformations. To form such a 
transformation, let A be an n x n matrix with integer entries and (det A, 26) = 1, and let B be 
an n x 1 matrix with integer entries. To encrypt a message, we split it into blocks of length n 
and put the numerical equivalents of the letters in each block into an n x 1 matrix P (padding 
the last block with dummy letters, if necessary). We find the corresponding ciphertext block by 
computing C = (AP + B) (mod 26) and translating the entries in C back into letters. 

26 . Using the affine transformation C = ^ 11^^ + (^19^ ( m °d 26) on blocks of two 

successive letters, encrypt the message HAVE A NICE DAY. 

27. What is the decrypting transformation associated with the affine transformation in Exercise 
26? 
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28. What is the decrypting transformation associated with the encrypting transformation C = 
(AP + B) (mod 26), where A is an n x n matrix with integer entries and (det A, 26) = 1, and 
B is an n x 1 matrix with integer entries? 

29. Decipher the message HG PM QR YN NM that was encrypted using the affine transformation 

Cs (ll 

30. Explain how you would go about decrypting a message that was encrypted in blocks of length 
two using an affine transformation C = AP + B (mod 26), where A is a 2 x 2 matrix with 
integer entries and (det A, 26) = 1, and B is a 2 x 1 matrix with integer entries. 

31 . Explain how you would go about decrypting a message that was encrypted in blocks of length 
three using an affine transformation C = AP + B (mod 26), where A is a 3 x 3 matrix with 
integer entries and (det A, 26) = 1, and B is a 3 x 1 matrix, with integer entries. 

32. Is the product cipher composed of two digraphic block ciphers based on affine transformations 
also a digraphic block cipher based on an affine transformation? 

* 33. Is the product cipher composed of two block ciphers based on affine transformations, en- 

crypting blocks of length m and blocks of length n, respectively, also a block cipher based 
on an affine transformation? 

34. Encrypt the bit string 11 1010 001 1 using the Vemam cipher with keystream 10 01 1 1 1001. 

35. Decrypt the bit string 1 1 1010 0011, assuming that it was encrypted using the Vemam cipher 
with keystream 10 0111 1001. 

36. Encrypt the plaintext message MIDDLETOWN using the autokey cipher with seed Z. 

37. Decrypt the ciphertext message ZVRQH DUJIM, assuming that it was encrypted using the 
autokey cipher with seed I. 

38. Show that the Vemam cipher is vulnerable to a known-plaintext attack if a keystream is used 
repeatedly. In particular, show that if someone can encrypt a bit string and have access to the 
resulting ciphertext string, the key string can be found. 

39. Show that if a keystream is used to encrypt two different messages using a Vemam cipher, 
then the bit string obtained by adding corresponding bits of the two messages modulo 2 could 
be found by someone with the corresponding ciphertext messages. Why might this permit 
cryptanalysis? 

Computations and Explorations 

1. Encrypt some messages using Vigenere ciphers for your classmates to decrypt. 

* 2. Decrypt messages encrypted by your classmates using Vigenere ciphers. 

3. Run the Kasiski test on some ciphertexts encrypted using Vigenere ciphers. 

4. Find the index of coincidence for some character strings. 

5. Cryptanalyze some ciphertexts encrypted using Vigenere ciphers. 

6. Find the frequencies of digraphs in various types of English texts, such as this text, computer 
programs, and a novel. 

7. Find the frequencies of trigraphs in various types of English texts, such as this text, computer 
programs, and a novel. 

8. Encrypt some messages using Hill ciphers for your classmates to decrypt. 
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9. Decrypt messages encrypted by your classmates using Hill ciphers. 

10. Encrypt and decrypt some long messages using a Vigenere cipher one-time pad, sending these 
messages to a particular classmate. 

11. Encrypt some messages using an autokey cipher for your classmates to decrypt. 

12. Decrypt some messages that were encrypted using an autokey cipher by your classmates. 

Programming Projects 

1. Given a plaintext message, encrypt it using a Vigenere cipher. 

2. Given a plaintext message that has been encrypted using Vigenere ciphers, decrypt it. 

* 3. Given ciphertext encrypted using a Vigenere cipher, run the Kasiski test to determine the key 

length of the cipher. 

4. Given a string of English characters, find the index of coincidence of this string. 

* * 5. Given ciphertext produced using a Vigenere cipher, use the Kasiski test together with the 

Friedman test, which uses the index of coincidence, to find possible key lengths. For each 
possible key length, use frequency analysis to find each character of the key. Try to to recover 
the original plaintext for each possible key you found. Figure out whether you found the 
correct key by checking to see whether decryption via a possible key produces words in 
English. 

6. Given a plaintext message, encrypt it using a Hill cipher. 

7. Given a ciphertext message that was produced using a Hill cipher, decrypt it. 

* 8. Cryptanalyze messages that were encrypted using a digraphic Hill cipher, by analyzing the 

frequency of digraphs in the ciphertext. 

9. Given a plaintext message, encrypt it using a cipher based on an affine transformation of 
blocks. (See the preamble to Exercise 26.) 

10. Given a message that was encrypted using an affine transformation of blocks, decrypt it 

11. By analyzing the frequency of digraphs in ciphertext, cryptanalyze messages encrypted using 
a digraphic block cipher based on an affine transformation. 

12. Given a message, encrypt it using the autokey cipher. 

13. Given a message that was encrypted using the autokey cipher, decrypt it. 


8.3 Exponentiation Ciphers 

In this section, we discuss a cipher based on modular exponentiation, which was invented 
in 1978 by Pohlig and Heilman [PoHe78]. We will see that ciphers produced by this 
system are resistant to cryptanalysis. (This cipher is of more theoretical than practical 
significance.) 

Let p be an odd prime and let e, the enciphering key, be a positive integer with 
(< e , p — 1) = 1. To encrypt a message, we first translate the letters of the message into 
numerical equivalents (retaining initial zeros in the two-digit numerical equivalents of 
letters). We use the same relationship we have used before, as shown in Table 8.9 
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Letter 

A 

B 

c 

D 

E 

F 

G 

H 

I 

J 

K 

L 

M 

N 

O 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

Numerical 

Equivalent 

00 

01 

02 

03 

04 

05 

06 

07 

08 

09 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


Table 8.9 Two-digit numerical equivalents of letters. 


Next, we group the resulting numbers into blocks of 2m decimal digits, where 
2m is the largest positive even integer such that all blocks of numerical equivalents 
corresponding to m letters (viewed as a single integer with 2m decimal digits) are less 
than p, e.g., if 2525 < p < 252,525, then m = 2. 

For each plaintext block P , which is an integer with 2m decimal digits, we form a 
ciphertext block C using the relationship 

C = P e (mod p), 0 <C<p. 

The ciphertext message consists of these ciphertext blocks, which are integers less than 
p. Notice that different values of e determine different ciphers, hence e is aptly called 
the enciphering key. We illustrate the encryption technique with the following example. 

Example 8.14. Let the prime to be used as the modulus in the encryption procedure 
be p = 2633, and let the encryption key to be used as the exponent in the modular 
exponentiation be e = 29, so that (e, p — 1) = (29, 2632) = 1. To encrypt the plaintext 
message 


THIS IS AN EXAMPLE OF AN EXPONENTIATION CIPHER, 

we first convert the letters of the message into their numerical equivalents, and then form 
blocks of length four from these digits, to obtain 

1907 0818 0818 0013 0423 

0012 1511 0414 0500 1304 

2315 1413 0413 1908 0019 

0814 1302 0815 0704 1723. 

Note that we have added the two digits 23, corresponding to the letter X, at the end 
of the message to fill out the final block of four digits. 

We next translate each plaintext block P into a ciphertext block C using the rela- 
tionship 

C = P 29 (mod 2633), 0 < C < 2633. 

For instance, to encrypt the first plaintext block, we compute 
C = 1907 29 = 2199 (mod 2633). 


To efficiently carry out the modular exponentiation, we use the algorithm given in Section 
4. 1. When we encrypt the blocks, we obtain the ciphertext: 
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2199 

1745 

1745 

1206 

2437 

2425 

1729 

1619 

0935 

0960 

1072 

1541 

1701 

1553 

0735 

2064 

1351 

1704 

1841 

1459. 


To decrypt a ciphertext block C, we need to know a decryption key, namely, an 
integer d such that de = 1 (mod p — 1), so that d is an inverse of e (mod p — 1), which 
exists because (e, p — 1) = 1. If we raise the ciphertext block C to the d\h power modulo 
p, we recover your plaintext block P. To see this, we first consider the case when p / P ; 
then, we will dispose the case where p \ P. When p / P, we have 

C d = (P e ) d = P ed = P k( P~V+ l = (pP~ l ) k P = p (mod p), 

where de = k(p — 1) + 1, for some integer k, because de = 1 (mod p — 1). (Note that 
we have used Fermat’s little theorem to see that pP~ l = 1 (mod p).) When p \ P, then 
P = 0, as 0 < P < p, so that C = 0 also because C = P e = 0 e = 0 (mod p),0 < C < p. 
Hence, C d = 0 d = 0 (mod p), which means that C d = P (mod p) in this case too. 

Example 8.15. To decrypt the ciphertext blocks generated using the prime modulus 
p = 2633 and the encryption key e = 29, we need an inverse of e modulo p — 1 = 2632. 
An easy computation, as done in Section 4.2, shows that d = 2269 is such an inverse. 
To decrypt the ciphertext block C to define the corresponding plaintext block P, we use 
the relationship 

P = C 2269 (mod 2633). 

For instance, to decrypt the ciphertext block 2199, we have 
P = 2199 2269 = 1907 (mod 2633). 

Again, the modular exponentiation is carried out using the algorithm given in Section 4.1. 

◄ 

For each plaintext block P that we encrypt by computing P e (mod p), we use only 
0((log 2 p) 3 ) bit operations, as Theorem 4.9 demonstrates. Before we decrypt, we need 
to find an inverse d of e modulo p — 1. This can be done using O (log 3 p) bit operations 
(see Exercise 15 of Section 4.2), and this must be done only once. Then to recover the 
plaintext block P from a ciphertext block C , we simply need to compute the least positive 
residue of C d modulo p\ we can do this using O ((log 2 p) 3 ) bit operations. Consequently, 
the process of encryption and decryption using modular exponentiation can be carried 
out rapidly. 

On the other hand, cyptanalysis of messages encrypted using modular exponenti- 
ation generally cannot be accomplished rapidly. To see this, suppose that we know the 
prime p used as the modulus and, moreover, suppose that we know the plaintext block 
P corresponding to a ciphertext block C, so that 


( 8 . 2 ) 


C = P e (mod p). 
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For successful cryptanalysis, we need to find the enciphering key e. This is the discrete 
logarithm problem, a computationally difficult problem that will be discussed in Chapter 
9. Note that when p has more than 200 decimal digits, it is not feasible to solve this 
problem using a computer. 


8.3 Exercises 

1. Using the prime p = 101 and encryption key e = 3, encrypt the message GOOD MORNING 
using modular exponentiation. 

2. Using the prime p = 2621 and encryption key e = l, encrypt the message SWEET DREAMS 
using modular exponentiation. 

3. What is the plaintext message that corresponds to the ciphertext 01 09 00 12 12 09 24 10 that 
is produced using modular exponentiation with modulus p = 29 and encryption exponent 
e = 5? 

4. What is the plaintext message that corresponds to the ciphertext 1213 0902 0539 1208 
1234 1103 1374 that is produced using modular exponentiation with modulus p = 2591 and 
encryption key e = 13? 

5. Show that the encryption and decryption procedures are identical when encryption is done 
using modular exponentiation with modulus p = 31 and enciphering key e = 1 1. 

6. With modulus p = 29 and unknown encryption key e, modular exponentiation produces the 
ciphertext 0419191104 24 09 1515. Cryptanalyze the above cipher, if it is also known that 
the ciphertext block 24 corresponds to the plaintext letter U (with numerical equivalent 20). 
(Hint: First find the logarithm of 24 to the base 20 modulo 29, using some guesswork.) 

Computations and Explorations 

1. Encrypt some messages for your classmates to decrypt using exponentiation ciphers. 

2. Decrypt messages encrypted by your classmates using exponentiation ciphers, given the 
encryption key and prime modulus. 


Programming Projects 

1. Given a message, encryption key, and prime modulus, encrypt it using a exponentiation 
cipher. 

2. Given a message encrypted using an exponentiation cipher and the encrypting key and prime 
modulus, decrypt it. 


8.4 Public Key Cryptography 

The cryptosystems we have discussed so far are all examples of private key, or symmetric, 
cryptosystems, where the encryption and decryption keys are either the same or can be 
easily found from each other. For example, in a shift cipher, the encrypting key is an 
integer k and the corresponding decrypting key is the integer —k. In an affine cipher, the 
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encrypting key is a pair ( a , b) and the corresponding decrypting key is the pair (a , -ab), 
where a is an inverse of a modulo 26. In a Hill cipher, the encrypting key is an n x n 
matrix A and the corresponding decrypting key is the n x n matrix A, where A is an 
inverse of the matrix A modulo 26. In the Pohlig-Hellman exponentiation cipher, the 
encrypting key is (e, p), where p is a prime, and the corresponding decrypting key 
is (d, p), where d is an inverse of e modulo p — 1. For the DEA, the encrypting and 
decrypting keys are exactly the same. 

For that reason, if one of the cryptosystems discussed so far is used to establish se- 
cure communications within a network, then each pair of communicants must employ an 
encryption key that is kept secret from the other individuals in the network, because once 
the encryption key in such a cryptosystem is known, the decryption key can be found us- 
ing a small amount of computer time. Consequently, to maintain secrecy, the encryption 
keys must themselves be transmitted over a channel of secure communications. 

To avoid assigning a key to each pair of individuals, which must be kept secret from 
the rest of the network, a new type of cryptosystem, called a public key cryptosystem, was 
invented in the 1970s. In this type of cryptosystem, encrypting keys can be made public, 
because an unrealistically large amount of computer time is required to find a decrypting 
transformation from an encrypting transformation. To use a public key cryptosystem to 
establish secret communications in a network of n individuals, each individual produces 
a key of the type specified by the cryptosystem, retaining certain private information that 
went into the construction of the encrypting transformation E{k), obtained from the key 
k according to a specified rule. Then a directory of the n keys k\, k^, . . . , k n is published. 
When individual i wishes to send a message to individual j, the letters of the message 
are translated into their numerical equivalents and combined into blocks of specified 
size. Then, for each plaintext block P a corresponding ciphertext block C = E k .(P) is 
computed using the encrypting transformation E k . . To decrypt the message, individual 
j applies the decrypting transformation D k . to each ciphertext block C to find P ; that is, 
D kj (C) = D k .(E kj (P)) = P. 

Because the decrypting transformation D k . cannot be found in a realistic amount of time 
by anyone other than individual j, no unauthorized individuals can decrypt the message, 
even though they know the key kj. Furthermore, cryptanalysis of the ciphertext message, 
even with knowledge of kj, is extremely infeasible due to the large amount of computer 
time needed. 

Many cryptosystems have been proposed as public key cryptosystems. All but a 
few have been shown to be unsuitable, by demonstrating that ciphertext messages can 
be decrypted using a feasible amount of computer time. In this section, we will introduce 
the most widely used public key cryptosystem, the RSA cryptosystem. In addition, we 
will introduce several other public key cryptosystems, including the Rabin public key 
cryptosystem, which we will discuss at the end of this section, and the ElGamal public 
key cryptosystem, which we will discuss in Chapter 10. The security of these systems 
rests on the difficulty of two computationally intensive mathematical problems, factoring 
integers (discussed in Chapter 3) and finding discrete logarithms (to be discussed in 
Chapter 9). In Section 8.5, we will describe a proposed public key cryptosystem, the 
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knapsack cryptosystem, that turned out not to be suitable as a basis for a public key 
cryptosystem. (See [MevaVa97] for a comprehensive look at most of the important public 
key cryptosystems.) 

Although public key cryptosystems have many advantages, they are not extensively 
used for general-purpose encryption. The reason is that encrypting and decrypting in 
these cryptosystems require too much time and memory on most computers, generally 
several orders of magnitude more than required for symmetric cryptosystems currently 
in use. However, public key cryptosystems are used extensively to encrypt keys for 
symmetric cryptosystems such as DES, so that these keys can be transmitted securely. 
They are also used in a wide variety of cryptographic protocols, such as in digital 
signatures (discussed in Section 8.6). They are also particularly useful for applications 
involving smart cards and electronic commerce. 

Also note that in modem cryptography, the cryptosystem used to encrypt messages is 
publicly known. Consequently, the secrecy of encrypted messages does not depend on the 
secrecy of the encryption algorithm in use. For symmetric key cryptosystems , the secrecy 
of messages depends on the secrecy of the encryption key in use and the computational 
difficulty of finding this key from other information (such as plaintext -ciphertext pairs). 
For public key cryptosystems, secrecy rests on the secrecy of the decryption key and 
the computational difficulty of finding this key from the encryption key and other public 
information (such as plaintext-ciphertext pairs). 


The RSA Cryptosystem 

The most commonly used public key cryptosystem is the RSA cryptosystem, named after 
Ronald Rivest, Adi Shamir, and Leonard Adleman [RiShAd78], who described it in 1977 
(and patented it [RiShAd83] in 1983). However, this cryptosytem was actually invented 
several years earlier in 1973 by the British mathematician Clifford Cocks in secret work 
at the Communications Headquarters of British intelligence. Cocks’s invention was only 
declassified and made public in 1997. 

The RSA cryptosystem is a public key cryptosystem based on modular exponentia- 
tion, where the keys are pairs (e, n) consisting of an exponent e and a modulus n that is 
the product of two large primes; that is, n = pq, where p and q are large primes, so that 
(e, 0(h)) = 1. To encrypt a message, we first translate the letters into their numerical 
equivalents and then form blocks of the largest possible size (with an even number of 
digits). To encrypt a plaintext block P, we apply the encryption transformation E(P) to 
obtain the ciphertext block C with 

E(P) = C = P e (modn), 0 <C <n. 

The decrypting procedure requires knowledge of an inverse d of e modulo 0(n), 
which exists because ( e , 0(n)) = 1. To decrypt the ciphertext block C, we find use the 
decryption transformation C with 


D(C) = P d (mod n), 0 < D(C ) < n. 
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To see that D(C) = (P e ) d = P (mod n) for all possible plaintext messages P, note that 
D(C) = C d = ( P e ) d = P ed ~ p k *W+ l = P*W*i’(modn), 

where ed = k(p(n) + 1 for some integer k, because ed = 1 (mod0(n)). When (P, n ) = 1, 
by Euler’s theorem we know that P+M = 1 (mod n). Consequently, 

p<Kn)kp _ (ptin^kp = p( modn)- 


Hence, 


D{C) = P (modn). 

Next, we consider the rare case (see Exercise 4) when (P, n) > 1. Tb show that the 
decryption transformation recovers the plaintextmessage, we need to first look at congru- 
ences modulo p and modulo q separately and then apply the Chinese remainder theorem. 
(Our reasoning here also applies when (P, n) = 1, although it is more complicated 
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■* member of the mathematics faculty at M.LT. from 1976 until 1980; during 

” / his stay at M.LT., he helped invent the RSA cryptosystem. In 1980, he was 

appointed to a position in the computer science department of the University 
of Southern California, and to a chaired professorship in 1985. Adleman has 
worked in the areas of computational complexity, computer security, immunol- 
ogy, and molecular biology, in addition to his work in cryptography. He coined the term “computer 
virus.” His recent work on computing using DNA has attracted great interest. Adleman served as the 
technical adviser for the movie Sneakers, in which computer security figured prominently. 
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than our earlier reasoning.) So, suppose that P £ 0 (mod p). Then, we have D(C) = 
p4>iri)kp = p(p-l)(«-l)*p = = p (mod p\ where we haveusedthe con- 

gruence P p ~ l = 1 (mod p), which follows by Fermat’s little theorem. Furthermore, if 
P = 0 (mod p), then C = P e = 0 (mod p), so that D(C) = P (mod p) in this case as 
well. Similar reasoning holds for the prime q, so that D(C) = P (mod q ). Applying the 
Chinese remainder theorem, it follows that the separate congruences modulo p and mod- 
ulo q imply that D(C) = P (mod n) for all P, including those P for which (P, n) > 1. 

We have shown that for the RS A cryptosystem, the pair (d, n) is the decrypting key 
corresponding to the encrypting key (e, n ), where d is an inverse of e modulo n. 

Note that a cryptanalyst who knows that a message P is not relatively prime to n can 
factor n and break the particular RS A code being used (Exercise 4). There is an extremely 
low probability that an arbitrary message P is not relatively prime to n (Exercise 3). 

Example 8.16. To illustrate how the RSA cryptosystem works, suppose that the en- 
crypting modulus is the product of the two primes 43 and 59 (which are smaller than the 
large primes that would actually be used); thus, we have n = 43 • 59 = 2537 as the mod- 
ulus. We take e = 13 as the exponent; note that we have (e, <p(n)) = (13, 42 * 58) = 1. 
Tb encrypt the message 


PUBLIC KEY CRYPTOGRAPHY, 

we first translate the letters into their numerical equivalents, and then group these 
numbers together into blocks of four. We obtain 



CLIFFORD COCKS (b. 1950) was bom at Prestbuiy in Cheshire, England. He 
attended the Manchester Grammar School, a prestigious day school founded in 
1515. After developing an aversion to studying Greek and Latin, he proclaimed 
an interest in science. He soon developed a passion for mathematics under 
the guidance of excellent instructors. In 1968, he won a silver medal at the 
International Mathematics Olympiad. In the fall of 1968, Cocks entered King’s 
College, Cambridge. He later graduated with a degree in mathematics and spent 
a short time at Oxford University studying number theory. In 1973, he took a 
job doing mathematical work at the Government Communications Headquarters (GCHQ) of British 
intelligence. Two months after joining GCHQ, Cocks’ mentor told him about the idea of public hey 
cryptography, which was described in an internal report written by another employee, James Ellis. 
Just a day later, Cocks leveraged his number theory knowledge to invent what is now called the 
RSA cryptosystem. He was quickly led to this idea when he realized that reversing the process of 
multiplying two large primes could be used as the basis of a public key cryptosystem. Only in 1997, 
24 years after his discovery, was Cocks permitted to share with the world declassified GCHQ internal 
documents describing his discovery. Besides his invention of the RSA cryptosystem, Cocks is (mown 
for his invention of a secure identity-based encryption scheme, which uses information about a user’s 
identity as a public key. In 2001, Cocks became the Chief Mathematician at GCHQ. He is proud of 
his work setting up the Heilbronn Institute for Mathematical Research, a partnership between GCHQ 
and the Univarsity of Bristol. 
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1520 

0111 

0802 

1004 

2402 

1724 

1519 

1406 

1700 

1507 

2423, 



where we have added the dummy letter X = 23 at the end of the passage to fill out the 
final block. 

We encrypt each plaintext block into a ciphertext block, using the relationship 
C = P 13 (mod 2537). 

For instance, when we encrypt the first plaintext block 1520, we obtain the ciphertext 
block 


C = (1520) 13 = 95 (mod 2537). 

Encrypting all the plaintext blocks, we obtain the ciphertext message 


0095 

1648 

1410 

1299 

0811 

2333 

2132 

0370 

1185 

1957 

1084. 



To decrypt messages that have been encrypted using this RS A cipher, we must find an 
inverse of e = 13 modulo 0 (2537) = 0 (43 • 59) = 42 • 58 = 2436. A short computation 
using the Euclidean algorithm, as done in Section 4.2, shows that d = 937 is an inverse of 
1 3 modulo 2436. Consequently, to decrypt the ciphertext block C , we use the relationship 

P = C 937 (mod 2537), 0 < P < 2537, 

which is valid because 

C 937 = (P 13 ) 937 = (p2436 } 5 p _ p (mod 2537) 

Note that we have used Euler’s theorem to see that 

P0C2537) = P 2436 _ j (mod 2537), 

when (P, 2537) = 1 (which is true for all of the plaintext blocks in this example). ◄ 

The Security of the RSA Cryptosystem To understand how the RSA cryptosystem 
fulfills the requirements of a public key cryptosystem, first note that each individual can 
find two large primes p and q, each with 200 decimal digits, in just a few minutes of 
computer time. These primes can be found by picking odd integers with 200 digits at 
random; by the prime number theorem, the probability that such an integer is prime 
is approximately 2/log IO 200 . Hence, we expect to find a prime after examining an 
average of l/(2/log IO 200 ), or approximately 230, such integers. To test these randomly 
chosen odd integers for primality, we use Rabin’s probabilistic primality test (discussed 
in Section 6.2). For each of these 200-digit odd integers, we perform Miller’s test for 100 
bases less than the integer; the probability that a composite integer passes all these tests 
is less than IO -60 . The procedure we have just outlined requires only a few minutes of 
computer time to find a 200-digit prime, and each individual need do so only twice. 
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Once the primes p and q have been found, an encrypting exponent e must be chosen 
such that (e, <p ( pq )) = 1. One suggestion for choosing e is to take any prime greater than 
both p and q. No matter how e is found, it should be true that 2 e > n = pq, so that it is 
impossible to recover the plaintext block P, P ^ 0 or 1, just by taking the eth root of 
the integer C with C = P e (mod n), 0 < C < n. As long as 2 e > n, every message, other 
than P = 0 and 1, is encrypted by exponentiation followed by a reduction modulo n. 

We note that the modular exponentiation needed for encrypting messages using 
the RSA cryptosystem can be done using only a few seconds of computer time using 
the fast modular exponentiation algorithm described in Section 4.1 when the modulus, 
exponent, and base in the modular exponentiation have as many as 500 decimal digits. 
Also, using the Euclidean algorithm, we can rapidly find an inverse d of the encryption 
exponent e modulo (p(n) when the primes p and q are known, so that <f>{n) = 4>(pq) = 
(p — Y)(q — 1) is known. 

To see why knowledge of the encrypting key (e, n) does not easily lead to the 
decrypting key ( d , n), note that to find d, an inverse of e modulo 4>(n), requires 
that we first find <p(n) = <p{pq) = {p — \){q — 1). Note that finding (p(n) is not eas- 
ier than factoring the integer n. To see why, note that p + q = n — <p(n) + 1 and 
P — q = j(p + q ) 2 ~ 4pq = y/(p + q) 2 - 4 n and that p = \[{p + q) + (p - q )] and 
q = l[(p + q) — (p — q)]. Consequently, p and q can easily be found when n = pq 
and </> (n) = (p — l)(q — 1) are known. Note that when p and q both have approximately 
200 decimal digits, n = pq has approximately 400 decimal digits. Using the fastest fac- 
torization algorithm known, millions of years of computer time are required to factor an 
integer of this size. Also, if the integer d is known, but (j){n ) is not, then n may also be 
factored easily, because ed — 1 is a multiple of 0(n) and there are special algorithms for 
factoring an integer n using any multiple of (p(n) (see [Mi76]). 

It has not been proven that it is impossible to decrypt messages encrypted using the 
RSA cryptosystem without factoring n, but so far no such method has been discovered. 
(For example, we could decrypt RSA ciphertext if an algorithm existed that could 
quickly find eth roots modulo n that did not depend on knowledge of the factorization 
of n.) As yet, all decrypting methods that work in general are equivalent to factoring n, 
and, as we have remarked, factoring large integers seems to be an intractable problem, 
requiring tremendous amounts of computer time. If no method of decrypting RSA 
messages without factoring the modulus n is found, the security of the RSA system 
can be maintained by increasing the size of the modulus as factoring methods and 
computational power improve. Unfortunately, messages encrypted using the RSA will 
become vulnerable to attack when factoring the modulus n becomes feasible. This means 
that extra care should be taken — for example, by using primes p and q each with several 
hundred digits — to protect the secrecy of messages that must be kept secret for tens, or 
hundreds, of years. 

Note that a few extra precautions should be taken in choosing the primes p and 
q to be used in the RSA cryptosystem, to prevent the use of special rapid techniques 
to factor n = pq. For example, both p — 1 and q — 1 should have large prime factors, 
(p — 1, q — 1) should be small, and p and q should not be too close together (see Exercise 
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12), which can be avoided by selecting them with decimal expansions differing in length 
by a few digits. 

As we have remarked, the security of the RS A cryptosystem depends on the difficulty 
of factoring large integers. In particular, for the RSA cryptosystem, once the modulus 
n has been factored it is easy to find the decrypting transformation from the encrypting 
transformation. Note, however, that it may be possible to somehow find the decrypting 
transformation from the encrypting transformation without factoring n, although this 
seems unlikely at present. 


Attacks on Implementations of the RSA Cryptosystem 

After more than 30 years of scrutiny, a variety of attacks on particular implementations 
of the RSA cryptosystem have been devised. These attacks show that care must be taken 
when implementing RSA to avoid particular vulnerabilities, called protocol failures. 
Note that no fundamental vulnerability has been found that would make RSA unsuitable 
for use as a public key cryptosystem. We will describe a variety of these attacks. The 
interested reader should consult [Bo99]. 

Encrypting the same plaintext message with different keys can lead to a successful 
Hastad broadcast attack. For example, when the encryption exponent 3 is used by three 
different people with different encryption moduli to encrypt the same plaintext message, 
someone who has the three ciphertext messages produced can recover the original plain- 
text. In general, it is possible to recover a plaintext message from ciphertext produced 
by encrypting the message using different RSA encryption keys when sufficiently many 
copies of the message have been encrypted. This type of attack can even succeed if the 
original message is altered for each recipient in a way that produces linearly related 
plaintext. To avoid this vulnerability, different random paddings of the message should 
be encrypted. 

We now describe a vulnerability of RSA found by M. Wiener [Wi90]. He showed 
that the decrypting exponent d of an RSA cryptosystem with encrypting key ( e , n) can be 
efficiently determined if n = pq, p and# are primes with q < p <2q, and the decrypting 
exponent d is less than n 1 / 4 / 3. (In Chapter 12, we will use the theory of continued 
fractions to develop this attack.) This result shows that primes p and q that are not 
too close together should be used to produce the encrypting modulus and a decrypting 
exponent d that is relatively large should be used. Although it is customary to first select 
the encryption key in an RSA cipher, we can make the decrypting exponent large by 
selecting it first, and then using it to compute the encrypting exponent e. 

Disclosing partial information about one of the primes that make up the encrypting 
modulus n leads to another weakness of the RSA cryptosystem. Suppose that n = pq 
has m digits. Then knowing the initial m/4 or the final m/4 digits of p allows n to be 
efficiently factored. For example, when both p and q have 100 decimal digits, if we 
know the first 50 or the last 50 digits of p, we will be able to factor n. Details of this 
partial key disclosure attack can be found in [Co97]. A similar result shows that if we 
know the last m/4 digits of the decrypting exponent d, then we can efficiently find d 
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using 0(e log e) operations. This shows that if the encryption exponent e is small, the 
decryption exponent d can be found if we know the last 1/4 of its digits. 

The final type of attack we mention was discovered by Paul Kocher in 1995 when 
he was an undergraduate at Stanford University. He demonstrated that the decryption 
exponent in the RSA cryptosystem can be determined by carefully measuring the time 
required for the system to perform a series of decryptions. This provides information that 
can be used to determine the decryption key d. Fortunately, it is easy to devise methods 
to thwart this attack. For a description of this attack, see [TrWa02] and the article by 
Kocher [Ko96a]. 

The widespread acceptance and use of the RSA cryptosystem makes it an inviting 
target for attack. That only minor vulnerabilities have been found has given people con- 
fidence in the practical use of this cryptosystem. This fuels the search for vulnerabilities 
in this popular cryptosystem. 

The Rabin Cryptosystem 

Michael Rabin [Ra79] discovered a variant of the RSA cryptosystem for which factor- 
ization of the modulus n has almost the same computational complexity as obtaining 
the decrypting transformation from the encrypting transformation. To describe Rabin’s 
cryptosystem, let n = pq, where p and q are odd primes, and let b be an integer with 
0 < b < n. To encrypt the plaintext message P, we form 

C = P(P +b) (mod n). 

We will not discuss the decrypting procedure for Rabin ciphers here, because it relies 
on some concepts that we have not yet developed (see Exercise 49 in Section 11.1). 
However, we remark that there are four possible values of P for each ciphertext C such 
that C = P (P + b) (mod n), an ambiguity that complicates the decrypting process. When 
p and q are known, the decrypting procedure for a Rabin cipher can be carried out rapidly 
because 0(log n) bit operations are needed. 

Rabin has shown that if there is an algorithm for decrypting in this cryptosystem, 
without knowledge of the primes p and q, that requires fin) bit operations, then there 
is an algorithm for the factorization of n requiring only 2 if in) + log n) bit operations. 
Hence, the process of decrypting messages encrypted with a Rabin cipher without knowl- 
edge of p and q is a problem of computational complexity similar to that of factorization. 
For more information about the Rabin public key cryptosystem, see [MevaVa97]. 


4 Exercises 

1. Find the primes p and q if n = pq = 14,647 and (pin) = 14,400. 

2. Find the primes p and qtfn = pq = 4,386,607 and (pin) = 4,382, 136. 

3. Suppose a cryptanalyst discovers a message P that is not relatively prime to the enciphering 
modulus n = pq used in an RSA cipher. (He can confirm this by running the Euclidean 
algorithm.) Show that the cryptanalyst can factor n. 
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4. Show that it is extremely unlikely that a message such as that described in Exercise 3 can be 
discovered. Do this by demonstrating that the probability that a message P is not relatively 
prime to n is j + | and if p and q are both larger than 10 100 , this probability is less 
than 10 -99 . In this exercise, assume that it is equally likely for a message to fall into each 
residue classes modulo n 

5. What is the ciphertext that is produced when RSA encryption with key ( e , n ) = (3, 2669) is 
used to encrypt the message BEST WISHES? 

6. What is the ciphertext that is produced when RSA encryption with key ( e , n ) = (7, 2627) is 
used to encrypt the message LIFE IS A DREAM? 

7. If the ciphertext message produced by RSA encryption with the key (e, n) = (13, 2747) is 
2206 0755 0436 1 165 1737, what is the plaintext message? 

8. If the ciphertext message produced by RSA encryption with the key ( e , n) = (5, 2881) is 
0504 1874 0347 0515 2088 2356 0736 0468, what is the plaintext message? 

9. Encrypt the message SELL NOW using the Rabin cipher C = P(P + 5) (mod 2573). 

10. Encrypt the message LEAVE TOWN using the Rabin cipher C = P(P + 11) (mod 3901). 

11. Suppose that Bob, extremely concerned with security, selects an encrypting modulus n, 
n = pq, where p and q are large primes, and two encrypting exponents e l and e 2 . He asks 
Alice to double encrypt messages set to him by first encrypting plaintext using the RSA 
cipher with encryption key (e h n) and then encrypting the resulting ciphertext again using 
the RSA cipher with encryption key ( e 2 , n). Does Bob gain any extra security by this double 
encryption? Justify your answer. 

12. Explain why we should not choose primes p and q that are too close together to form the 
encrypting exponent n in the RSA cryptosystem. In particular, show that using a pair of twin 
primes for p and q would be disastrous. (Hint: Recall Fermat’s factorization method.) 

13. Suppose that two parties share a common modulus n in the RSA cryptosystem, but have 
different encrypting exponents. Show that the plaintext of a message sent to each of these 
two parties encrypted using each of their RSA keys can be recovered from the ciphertext 
messages. 

14. Show that if the encryption exponent 3 is used for the RSA cryptosystem by three different 
people with different moduli, a plaintext message P encrypted using each of their keys can 
be recovered from these resulting three ciphertext messages. (Hint: Suppose that the moduli 
in these three keys are n h n 2 , and n 3 . First find a common solution to the congruences 
jc t = P 3 (mod n,), i = 1, 2, 3.) (This is an example of a Hastad broadcast attack.) 

15. Describe how an RSA cryptosystem works if the encrypting modulus n is the product of three 
primes, rather than two primes. 

16. Suppose that two people have RSA encrypting keys with encrypting moduli n x and n 2 , 
respectively, when n l ^n 2 . Show how you could break the system if (n h n 2 ) > 1. 

17. Suppose we use RSA encryption with the same key to encrypt plaintext messages P x and P 2 , 
and their product P = P\P 2 . Show that the ciphertext obtained when P is encrypted equals the 
product of the ciphertexts C\ and C 2 , produced when P x and P 2 are encrypted, respectively, 
reduced modulo n, where n is the encryption modulus. 

18. Suppose that Alice’s RSA encryption key is (e, n) and that C is the ciphertext produced when 
she encrypts the plaintext message P. Show that Eve can recover P after intercepting C if she 
manages to obtain the result of Alice’s decryption of C' = Cr e , where r is a random integer 
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that Eve has selected. (Alice decrypts C' because she has been fooled into thinking it is a 
valid message. Eve is able to obtain the result when Alice throws away what seems to her to 
be nonsense.) 

Computations and Explorations 

1. Construct a key for the RSA cipher for inclusion in a directory of encryption keys for the 
members of your class. 

2. For each member of your class, encrypt a message using the RSA cipher with the public keys 
published in the directory. 

3. Decrypt the messages sent to you by your classmates that were encrypted using your RSA 
encryption key. 


Programming Projects 

1. Generate valid keys ( e , n) for the RSA cryptosystem. 

2. Given a valid key (e, n) for the RSA cryptosystem and the factorization n = pq where p and 
q are primes, find the corresponding decryption key d. 

3. Given a message, encrypt a message using the RSA cipher with a given key (e, n). 

4. Given a message that was encrypted using an RSA cipher with encryption key (e, n ) and the 
corresponding decryption key d, decrypt it. 


8.5 Knapsack Ciphers 

In this section, we discuss cryptosystems based on the knapsack problem. Given a set 
of positive integers a h a 2 , . . . , a n and an integer 5, the knapsack problem asks which 
of these integers, if any, add together to give 5. Another way to phrase the knapsack 
problem is to ask for values of x 1; x 2 , . . . , x n , each either 0 or 1, such that 

(8.3) S = a\X\ + fl 2 X 2 “I" ' ‘ " “I" <Z n X n . 

We use an example to illustrate the knapsack problem. 

Example 8.17. Let (a h a 2 , a 3 , a A , a 5 ) = (2, 7, 8, 11, 12) and 5 = 21. By inspection, 
we see that there are two subsets of these five integers that add together to give 21, 
namely, 21 = 2 + 8+ 11 = 2 + 7+12. Equivalently, there are exactly two solutions to 
the equation 2x 1 + lx 2 + 8x 3 + llx 4 + 12x5 = 21, with x t = 0 or 1 for i = 1, 2, 3, 4, 5. 
These solutions are xj = x 3 = x 4 = 1, x 2 = x 5 = 0, and xj = x 2 = x 5 = 1, x 3 = x 4 = 0. 

◄ 

To verify that equation (8.3) holds, where each x, is either 0 or 1, requires that we 
perform at most n additions. On the other hand, to search by trial and error for solutions of 
(8.3) may require that we check all 2 n possibilities for (x l5 x 2 , . . . , x n ). The best method 
known for finding a solution of the knapsack problem requires 0( 2"/ 2 ) bit operations, 
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which makes a computer solution of a general knapsack problem extremely infeasible 
even when n = 100. 

Certain values of the integers a h a 2 , . . . , a n make the solution of the knapsack 
problem much easier than the solution in the general case. For instance, if aj = 2 7_1 , 
to solve S = a^xi + a 2 x 2 + • • • + a n x n , where x, = 0 or 1 for i = 1, 2, . . . , n, simply 

requires that we find the binary expansion of S. We can also produce easy knapsack 

problems by choosing the integers a h a 2 , ... ,a n so that the sum of the first j — 1 of 
these integers is always less than the j th integer, that is, so that 
j - 1 

7: a, < aj, j = 2, 3, . . . , n. 
i = 1 

If a sequence of integers a h a 2 , . . . , a n satisfies this inequality, we call the sequence 
super-increasing. 

Example 8.18. The sequence 2, 3, 7, 14, 27 is super-increasing because 3 > 2, 7 > 

3 + 2, 14 > 7 + 3 + 2, and 27 > 14 + 7 + 3 + 2. ◄ 

To see that knapsack problems involving super-increasing sequences are easy to 
solve, we first consider an example. 

Example 8.19. Let us find the integers from the set 2, 3, 7, 14, 27 that have 37 as 
their sum. First, we note that because 2 + 3 + 7 + 14 < 27, a sum of integers from 
this set can only be greater than 27 if the sum contains the integer 27. Hence, if 
2x 1 + 3x 2 + 7x 3 + 14x 4 + 27 x 5 = 37 with each x,- = 0 or 1, we must have x 5 = 1 and 
2x 1 + 3 x 2 + 7x 3 + 14x 4 = 10. Because 14 > 10, x 4 must be 0 and we have 2x\ + 
3x 2 + 7x 3 = 10. Because 2 + 3 < 7, we must have x 3 = 1 and therefore 2xj + 3x 2 = 3. 
Obviously, we have x 2 = 1 and Xj = 0. The solution is 37 = 3 + 7 + 27. ◄ 

In general, to solve knapsack problems for a super-increasing sequence a h a 2 , ... , 
a n , that is, to find the values of x h x 2 , . . . , x n with S = a 1 x 1 + a 2 x 2 + ■ ■ ■ + a n x n and 
x, = 0 or 1 for i = 1, 2, . . . , n when S is given, we use the following algorithm. First, 
we find x„ by noting that 

_ | 1 if S>a n ; 

* n_ [0 if S<a n . 

Then, we find x n _ h x n _ 2 , . . . , x ls in succession, using the equations 

_(l if $ -T,? =j+ i x i a i> a j’’ 

Xj ~ \ 0 if S - TH=j + 1 x i a i < aj, 

for j = n — 1, n — 2, . . . , 1. 

To see that this algorithm works, first note that if x n = 0 when S >a n , then 
5Z” = l a,- x,- < a i <a n — S, contradicting the condition Y?j = i a j x j = Similarly, 
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if xj = 0 when S - T!i=j+ 1 x i°i - a j> 111611 E”=i a i x i - E/=i a i + E"=,+i < 

a -j + Y^=j + 1 < S, which is again a contradiction. 

Using this algorithm, knapsack problems based on super-increasing sequences can 
be solved extremely quickly. We now discuss a cryptosystem based on this observation, 
invented by Merkle and Heilman [MeHe78], that was initially considered a good choice 
for a public key cryptosystem. (We will comment more about this later in this section.) 

The ciphers that we describe here are based on transformed super-increasing se- 
quences. To be specific, let a h a 2 , ... ,a n be super-increasing and let m be a positive 
integer with m > 2 a n . Let w be an integer relatively prime to m with inverse W modulo 
m. We form the sequence b h b 2 , ... , b n , where b } = waj (mod m) and 0 <bj <m. We 
cannot use this special technique to solve a knapsack problem of the type S = £” =1 
where S is a positive integer, because the sequence b h b 2 , ... , b n is not super-increasing. 
However, when w is known, we can find 

(8.4) wS = ^ wbjXj = ^ (mod m), 

;=i i=i 

because UJbj = aj (mod m). From (8.4), we see that 
S 0 = ^ a t Xi, 

i = l 

where 5 0 is the least positive residue of vJS modulo m. We can easily solve the equation 

s o = J2 a i x i' 

i=i 

because a h a 2 , ... ,a n is super-increasing. This solves the knapsack problem 

i=i 

because bj = waj (mod m) and 0 < bj < m. We illustrate this procedure with an 
example. 

Example 8.20. The super-increasing sequence (a h a 2 , a 3 , a 4 , a 5 ) = (3, 5, 9, 20, 44) 
can be transformed into the sequence (b h b 2 , b 3 , b 4 , b 5 ) = (23, 68, 69, 5, 1 1) by taking 
bj = 61a j (mod 89), for j = 1, 2, 3, 4, 5. To solve the knapsack problem 23 jcj + 68jc 2 + 
69jc 3 + 5jc 4 + 11jc 5 = 84, we can multiply both sides of this equation by 4, an inverse 
of 67 modulo 89, and then reduce modulo 89, to obtain the congruence 3jc t + 5 jc 2 + 
9x 3 + 20x 4 + 44x 5 = 336 = 69 (mod 89). Because 89 > 3 + 5 + 9 + 20 + 44, we can 
conclude that 3xj + 5x 2 + 9jc 3 + 20jc 4 + 44x 5 = 69. The solution of this easy knapsack 
problem is jc 5 = jc 4 = jc 2 = 1 and jc 3 = jc 3 = 0. Hence, the original knapsack problem has 
as its solution 68 + 5 + 1 1 = 84. ◄ 
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The cryptosystem based on the knapsack problem invented by Merkle and Heilman 
works as follows. Each individual chooses a super-increasing sequence of positive 
integers of a specified length, say, N (for example, a h a 2 , . . . , a N ), as well as a 
modulus m with m > 2 a N and a multiplier w with (m, w) — 1. The transformed sequence 
b h b 2 , . . . , b n is made public. When someone wishes to send a message P to this 
individual, the message is first translated into a string of zeros and ones using the binary 
equivalents of letters, as shown in Table 8.10. This string of zeros and ones is next split 
into segments of length N (for simplicity, we suppose that the length of the string is 
divisible by N; if not, we can simply fill out the last block with all ones). For each block, 
a sum is computed using the sequence^, b 2 , ... ,b N \ for instance, the block jc ix 2 . . . x N 
gives S = biXi + b 2 x 2 + ■ ■ ■ + b N x N . Finally, the sums generated by each block form 
the ciphertext message. 

We note that to decipher ciphertext generated by the knapsack cipher, without 
knowledge of m and w, requires that a group of hard knapsack problems of the form 

(8.5) S = b\Xi + b 2 x 2 + • • • + b N x N 

be solved. On the other hand, when m and w are known, the knapsack problem (8.5) can 
be transformed into an easy knapsack problem, because 

WS = wb]X] + uJb 2 x 2 + ■ ■ ■ + Wb N x N 
= 0i*i + a 2 x 2 + • • • + a N x N (mod m), 
in which wbj = aj (mod m), where W is an inverse of w modulo m, so that 

(8.6) S 0 = a^x i + a 2 x 2 + • • • + a N x N , 


Letter 

Binary 

Equivalent 

Letter 

Binary 

Equivalent 

A 

00000 

N 

01101 

B 

00001 

O 

oino 

C 

00010 

P 

01111 

D 

00011 

Q 

10000 

E 

00100 

R 

10001 

F 

00101 

S 

10010 

G 

00110 

T 

10011 

H 

00111 

U 

10100 

I 

01000 

V 

10101 

J 

01001 

W 

10110 

K 

01010 

X 

10111 

L 

01011 

Y 

11000 

M 

01100 

Z 

11001 


Table 8.10 The binary equivalents of letters. 
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where S 0 is the least positive residue of wS modulo m. We have equality in (8.6), because 
both sides of the equation are positive integers less than m that are congruent modulo m. 

We illustrate the encrypting and decrypting procedures of the knapsack cipher with 
an example. We start with the super-increasing sequence (a ls a 2 , a 2 , a 4 , a 5 , a 6 , a 2 , a 8 , 
a 9 , a 10 ) = (2, 11, 14, 29, 58, 119, 241, 480, 959, 1917). We take m = 3837 as the en- 
crypting modulus, so thatm > 2 a 10 , and w = 1001 as the multiplier, so that (m, w) = 1, 
to transform the super-increasing sequence into the sequence (2002, 3337, 2503, 2170, 
503, 172, 3347, 855, 709, 417). 

To encrypt the message 


REPLY IMMEDIATELY, 

we first translate the letters of the message into their five-digit binary equivalents, as 
shown in Table 8.10, and then group these digits into blocks of ten, to obtain 
1000100100 0111101011 1100001000 

0110001100 0010000011 0100000000 

1001100100 0101111000. 

For each block of ten binary digits, we form a sum by adding together the appropriate 
terms of the sequence (2002, 3337, 2503, 2170, 503, 172, 3347, 855, 709, 417) in the 
slots corresponding to positions of the block containing a digit equal to 1. This gives us 

3360 12986 8686 10042 3629 3337 5530 9529. 

For instance, we compute the first sum, 3360, by adding 2002, 503, and 855. 

To decrypt, we find the least positive residue modulo 3837 of 23 times each sum, 
because 23 is an inverse of 1001 modulo 3837, and then we solve the corresponding 
easy knapsack problem with respect to the original super-increasing sequence (2, 11, 
14, 29, 58, 119, 241, 480, 959, 1917). For example, to decrypt the first block, we find 
that 3360 • 23 = 540 (mod 3837), and then note that 540 = 480 + 58 + 2. This tells us 
that the first block of plaintext binary digits is 1000100100. 

Knapsack ciphers originally seemed to be excellent candidates for use in public key 
cryptosystems. However, in 1982 Shamir [Sh84] has shown that they are not satisfactory 
for public key cryptography. The reason is that there is an efficient algorithm for solving 
knapsack problems involving sequences b h b 2 , . . . , b n with bj = waj (mod m), where 
w and m are relatively prime positive integers and a h a 2 , ... ,a n is a super-increasing 
sequence. The algorithm found by Shamir can solve these knapsack problems using only 
O (P ( n )) bit operations, where P is a polynomial, instead of requiring exponential lime, 
as is required for known algorithms for general knapsack problems involving sequences 
of a general nature. Although we will not go into the details of the algorithm found by 
Shamir here, the reader can find these details by consulting [Od90]. 

There are several possibilities for altering this cryptosystem to avoid the weakness 
found by Shamir. One such possibility is to choose a sequence of pairs of relatively prime 
integers (w h m{), (w 2 , m 2 ), . . . , (w r , m r ), and then form the series of sequences 
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= Widj (mod/ni) 

= w 2 b ^ (mod m 2 ) 

b ( p = iw r ^ r_1) (mod m r ), 

for j = 1,2, ..., n. We then use the final sequence b^ , bp\ . . . , as the encrypt- 
ing sequence. Unfortunately, efficient algorithms have been found for solving knapsack 
problems involving sequences obtained by iterating modular multiplications with differ- 
ent moduli. 

A comprehensive discussion of knapsack ciphers can be found in [Od90]. This 
article describes knapsack ciphers and their generalizations, and goes on to explain the 
attacks that have been found for breaking them. 


8.5 Exercises 

1. Decide whether each of the following sequences is super-increasing. 

a) (3, 5, 9, 19, 40) c) (3, 7, 17, 30, 59) 

b) (2, 6, 10, 15, 36) d) (11, 21, 41, 81, 151) 

2. Show that if a 2 , . . . , a n is a super-increasing sequence, then a ; - > 2 7 _1 for j = 1, 2, . . . , n. 

3. Show that the sequence a h a 2 , ... ,a n is super-increasing if a j+1 > 2a j for j = 1,2, ... , 
n- 1. 

4. Find all subsets of the integers 2, 3, 4, 7, 11, 13, 16 that have 18 as their sum. 

5. Find the sequence obtained from the super-increasing sequence (1, 3, 5, 10, 20, 41, 81) when 
modular multiplication is applied with multiplier w = 17 and modulus m = 163. 

6. Encrypt the message BUY NOW using the knapsack cipher based on the sequence obtained 
from die super-increasing sequence (17, 19, 37, 81, 160), by performing modular multipli- 
cation with multiplier w = 29 and modulus m = 331. 

7. Decrypt the ciphertext 402 75 120 325 that was encrypted by the knapsack cipher based on the 
sequence (306, 374, 233, 19, 259). This sequence is obtained by using modular multiplication 
with multiplier w = 11 and modulus m = 464, to transform the super-increasing sequence 
(18,22,41,83,179). 

8. Find the sequence obtained by applying successively the modular multiplications with multi- 
pliers and moduli (7,92), (1 1,95), and (6,101), respectively, on the super-increasing sequence 
(3, 4, 8, 17, 33, 67). 

9. What process can be employed to decrypt messages that have been encrypted using knapsack 
ciphers that involve sequences arising from iterating modular multiplications with different 
moduli? 

A multiplicative knapsack problem is a problem of the following type: Given positive integers 
a h a 2 , ... ,a n and a positive integer P, find the subset, or subsets, of these integers with product 
P, or equivalently, find all solutions of 
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where xj = 0 or 1 for j = 1, 2, . . . , n. 

10. Find all products of subsets of the integers 2, 3, 5, 6, 10 equal to 60. 

11. Find all products of subsets of the integers 8, 13, 17, 21, 95, 121 equal to 15,960. 

12. Show that if the integers a h a 2 , . . . , a n are pairwise relatively prime, then the multiplicative 
knapsack problem P = a^a^ 2 • • • a* n , xj = 0 or 1 for j = 1, 2, . . . , n is easily solved from 
the prime factorizations of the integers P, a h a 2 , ... , a n , and show that if there is a solution, 
then it is unique. 

13. Show that by taking logarithms to the base b modulo m, where ( b , m) = 1 and 0 < b <m, 
the multiplicative knapsack problem 

P=a\' a? ■■■<,*• 

is converted into an additive knapsack problem 

S = aqjcj + a 2 x 2 + • • • + a n x n , 

where S, cq, a 2 , . . . , a n are the logarithms of P, <q, a 2 , . . . , a n to the base b modulo m, 
respectively. 

14. Explain how Exercises 12 and 13 can be used to produce ciphers where messages are easily 
decrypted when the mutually relatively prime integers a h a 2 , . . . , a n are known, but cannot 
be decrypted quickly when the integers oq, a 2 , ... ,<x n are known. 

Computations and Explorations 

1. Starting with a super-increasing sequence that you have constructed, perform modular mul- 
tiplication with modulus m and multiplier w to find a sequence to serve as your public key 
for the knapsack cipher. 

2. For each of your classmates, encrypt a message using their public key for the knapsack cipher. 

3. Decrypt the messages that were sent to you by classmates. 

4. U sing algorithms described in [Od90] , solve knapsack problems based on a sequence obtained 
by modular multiplication of a super-increasing sequence. 

Programming Projects 

1. Given a knapsack problem, solve it by trial and error. 

2. Given a knapsack problem involving a super-increasing sequence, solve it. 

3. Given a message, encrypt it using a knapsack cipher. 

4. Given a message that was encrypted using knapsack ciphers and the super-increasing se- 
quence used for this encryption, decrypt it. . 

5. Encrypt and decrypt messages using knapsack ciphers involving sequences arising from 
iterating modular multiplications with different moduli. 

6. Solve multiplicative knapsack problems involving sequences of mutually relatively prime 
integers (see Exercise 14). 
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8.6 Cryptographic Protocols and Applications 

In this section, we describe how cryptosystems can be used in protocols, which are 
algorithms carried out by two or more parties to achieve a specific goal, and in other 
cryptographic applications. In particular, we will show how two or more people can 
exchange encryption keys. We will also explain how messages can be signed using the 
RSA cryptosystem, and how cryptography can be used to allow people to play poker 
fairly over a network. Finally, we will show how people can share a secret, so that no 
one person knows the secret, but a large enough group of people can recover the secret 
by cooperating. These are only a few of the many examples of protocols and applications 
that we could discuss; the interested reader should consult [MevaVa97] to leam about 
additional protocols and applications based on the ideas we have covered in this chapter. 

Diffie-Hellman Key Exchange 

We will now discuss a protocol that allows two parties to exchange a secret key over 
an insecure communications link without having shared any information in the past. 
Exchanging keys is a problem of fundamental importance in cryptography. The method 
that we will describe was invented by Diffie and Heilman in 1976 (see [DiHe76]) and is 
called the Diffie-Hellman key agreement protocol. The common secret key generated by 
this protocol can be used as a shared key for a symmetric cryptosystem to be used during 
a particular communication session by parties who have never met or shared any prior 
information. It has the property that unauthorized parties cannot discover it in a feasible 
amount of computer time. 

To implement this protocol, we need a large prime p and an integer r such that the 
least positive residue of r k runs inclusively through all integers from 1 to p — 1. (This 
means that r is a primitive root of p, a concept that we will study in Chapter 9.) Both 
the large prime p and the integer r are public information. 

In this protocol, two parties who want to share a common key each pick a random 
private value from the set of positive integers between 1 and p — 2, inclusive. If the two 
parties select k\ and k 2 , respectively, the first party sends the second party the integer yj, 
where 


y! = r kl (mod p), 0 < yj < p, 
and the second party finds the common key K by computing 

K = yf 2 = r* 1 * 2 (mod p), 0 < K < p. 
Similarly, the second party sends the first party the integer y 2 , where 
y 2 = r* 2 (mod p), 0 < y 2 < p, 
and the first party finds the common key K by computing 

K = y kl = r klk 2 (mod p), 0 < K < p. 
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The security of this key agreement protocol depends on the security of determining 
the secret key K, given the least positive residues of r k 1 and r^ 2 modulo p\ that is, it 
depends on the difficulty of computing what are known as discrete logarithms modulo p 
(to be discussed in Chapter 9), which is thought to be a computationally difficult problem. 
It has been shown (see [Ma94]) that breaking this protocol is equivalent to computing 
discrete logarithms, when certain conditions hold. 

In a similar manner, a common key can be shared by any group of n individuals. If 
these individuals have keys k h &2 k n , they can share the common key 


K = r kxkr " kn (mod p). 


We leave an explicit description of a method used to produce this common key as a 
problem for the reader. 

The topic of key establishment protocols extends far beyond what we have described 
here. Many different protocols for establishing shared keys have been developed, includ- 
ing protocols that make use of busted servers for distributing keys. To leam more about 
this topic, consult Chapter 12 of [MevaVa97]. 


Digital Signatures 

When we receive an electronic message, how do we kiow that it has come from the 
supposed sender? We need a digital signature that can tell us that the message must 
have originated with the party who supposedly sent it. We will show that a public key 
cryptosystem, such as the RSA cryptosystem, can be used to send “signed” messages. 
When signatures are used, the recipient of a message is sure that the message came from 
the sender, and can convince an impartial judge that only the sender could be the source 
of the message. This authentication is needed for electronic mail, electronic banking, 
and electronic stock market transactions. To see how the RSA cryptosystem can be used 
to send signed messages, suppose that individual i wishes to send a signed message to 
individual j. The first thing that individual i does to a plaintext block P is to compute 

S = D k .(P) = P di (mod n { ), 

where (d, , n, ) is the decrypting key for individual i , which only individual i knows. Then, 
if n j > n ( , where (e ; , n ; ) is the encryption key for individual j, individual i encrypts S 
by forming 


C = E kj (5) = S e J (mod n ; ), 0 < C < n } . 

When nj < n,-, individual i splits S into blocks of size less than nj and encrypts each 
block using the encrypting transformation E k .. 

For decrypting, individual j first uses the private decrypting transformation D k . to 
recover S, because 


D k (C) = D kj (E k (S)) = S . 
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To find the plaintext message P, supposedly sent by individual i, individual j next uses 
the public encrypting transformation E k ., because 

E ki (S) = E k .(D k .(P )) = P. 

Here, we have used the identity E k .(D k .(P )) = P, which follows from the fact that 
E k .(D k .(P )) = (P di ) e ‘ = P d ‘ e ‘ = P (mod m), 

because 


d.^ i = 1 (mod </>(«,)). 

The combination of the plaintext block P and the signed version S convinces individual j 
that the message actually came from individual i . Also, individual i cannot deny sending 
the message, because no one other than individual i could have produced the signed 
message S from the original message P. 

Electronic Poker 

An amusing application of exponentiation ciphers has been described by Shamir, Rivest, 
and Adleman [ShRiAd81]. They show that by using exponentiation ciphers, a fair game 
of poker may be played by two players, communicating via computers. Suppose that 
Alex and Betty wish to play poker. First, they jointly choose a large prime p. Next, 
they individually choose secret keys e x and e 2 , to be used as exponents in modular 
exponentiation. Let E e] and E ei represent the corresponding encrypting transformations, 
so that 

E ei (M) = M e ' (mod p) 

E e2 (M) = M ei (mod p ), 

where M is a plaintext message. Let d x and d 2 be the respective inverses of e x and e 2 
modulo p, and let D e] and D ei be the corresponding decrypting transformations, so that 

D ei (C) = C‘ i '(modp) 

D, 2 (C) = C d ’- (mod p). 
where C is a ciphertext message. 

Note that encrypting transformations commute, that is, 

E ei (E e2 (M)) = E e2 (E ei (M)), 
because (M e 2) e i = (M e ') e2 (mod p). 

To play electronic poker, the deck of cards is represented by the 52 messages 
M x = “TWO OF CLUBS” 

M 2 = “THREE OF CLUBS” 

M 52 = “ACE OF SPADES.” 
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When Alex and Betty wish to play poker electronically, they use the following sequence 
of steps. We suppose that Betty is the dealer. 

1. Betty uses her encrypting transformation to encipher the 52 messages for the 
cards. She obtains E ei (M x ), E ei (M 1 ), . . . , E e2 (M 52 ). Betty shuffles the deck, 
by randomly reordering the encrypted messages. Then she sends the 52 shuffled 
encrypted messages to Alex. 

2. Alex selects, at random, five of the encrypted messages that Betty has sent 
him. He returns these five messages to Betty and she decrypts them to find her 
hand, using her decrypted transformation D e2 because D e £E e £M )) = M for all 
messages M. Alex cannot determine which cards Betty has, because he cannot 
decrypt the encrypted messages E e2 (Mj), j = 1, 2, ... , 52. 

3. Alex selects five other encrypted messages at random. Let these messages be 
C h C 2 , C 3 , C 4 , and C 5 , where 

Cj = E e2 (M ij ), 

j = 1, 2, 3, 4, 5. Alex sends these five previously encrypted messages using his 
encrypted transformation. He obtains the five messages 

C* = E ei «C j ) = E ei (E e2 (M ij )), 

j = 1, 2, 3, 4, 5. Alex sends these five messages that have been encrypted twice 
(first by Betty and afterward by Alex) to Betty. 

4. Betty uses her decrypted transformation D ei to find 

D e2 (C*) = D^E^E^Mi.))) 

= D e2 (E e2 (E ei (M ij ))) 

= 

because E ex (E e2 (M )) = E e2 (E ei (M)) and D e2 (E e2 (M)) = M for all messages 
M. Betty sends the five messages E ei (Mi.) back to Alex. 

5. Alex uses his decrypting transformation D ei to obtain his hand, because 

De 1 (E ei (M ij )) = Mi j . 


When a game is played where it is necessary to deal additional cards, such as draw 
poker, the same steps are followed to deal additional cards from the remaining deck. 
Note that using the procedure we have described, neither player knows the cards in the 
hand of the other player, and all hands are equally likely for each player. To guarantee 
that no cheating has occurred, at the end of the game both players reveal their keys so 
that each player can verify that the other player was actually dealt the cards claimed. 

A description of a possible weakness in this scheme, and how it may be overcome, 
may be found in the exercise set of Section 11.1. 
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Secret Sharing 

We now discuss another application of cryptography, namely, a method for sharing 
secrets. Suppose that in a communications network there is some vital, but extremely 
Qy sensitive, information. If this information is distributed to several individuals, it becomes 

much more vulnerable to exposure; on the other hand, if this information is lost, there 
are serious consequences. An example of such information is the master key K used for 
access to the password file in a computer system. 

To protect this master key K from both loss and exposure, we construct shadows 
k x , k 2 , , k r , which are given to r different individuals. We will show that the key K 

can be produced easily from any s of these shadows, where s is a positive integer less 
than r, whereas the knowledge of less than s of these shadows does not permit the key 
A' to be found. Because at least s different individuals are needed to find K, the key 
is not vulnerable to exposure. In addition, the key K is not vulnerable to loss, because 
any s individuals from the r individuals with shadows can produce K. Schemes with 
properties we have just described are called (s, r)-threshold schemes. 

To develop a system that can be used to generate shadows with these properties, we 
use the Chinese remainder theorem. We choose a prime p greater than the key K and a 
sequence of pairwise relatively prime integers m h m 2 , . . . , m r that are not divisible by 
p, such that 


m 1 <m 2 <---< m r , 


and 

(8.7) m 1 m 2 • • • m s > pm r m r _ t • • ■ m r _ s+2 . 

Note that the inequality (8.7) states that the product of the s smallest of the integers mj 
is greater than the product of p and the s — 1 largest of the integers mj. From (8.7), we 
see that if M = m\m 2 • • • m s , then M/p is greater than the product of any set of s — 1 
of the integers mj. 

Now let t be a nonnegative integer less than M/p that is chosen at random. Let 
K 0 =K + tp, 

so that 0 < K 0 < M — 1 (because 0 < K 0 = K + tp < p + tp = (t + \)p < ( M/p)p 
= M). 

To produce the shadows k h k 2l ... , k r , we let kj be the integer such that 
kj = K 0 (mod mf), 0 < kj < mj, 

for j = 1, 2 r. To see that the master key K can be found by any s individuals from 

the total of r individuals with shadows, suppose that the s shadows k Jv kj 2 , ... , k js 
are available. Using the Chinese remainder theorem, we can easily find the least positive 
residue of K 0 modulo Mj , where Mj = • • • mj. Because we know that 0 < K 0 < 

M < Mj, we can determine K 0 , and then find K = K 0 — tp. 
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On the other hand, suppose that we know only the s — 1 shadows k iv k i2 , . . . , k t . 
By the Chinese remainder theorem, we can determine the least positive residue a of Kq 
modulo M,, where M, = • • • m,- . With these shadows, the only information we 

have about K 0 is that a is the least positive residue of K 0 modulo M,- and < Kq < M. 
Consequently, we only know that 


K 0 = a + xM h 

where 0 < x < M/M,-. From (8.7), we can conclude that M/M,- > p, so that as x ranges 
through the positive integers less than M/M,-, x takes every value in a full set of residues 
modulo p. Because (m ; -, p) = 1 for j = 1, 2, . . . , s, we know that (M,-, p) = 1 and, 
consequently, a +xM t runs through a full set of residues modulo p as x does. Hence, 
we see that the knowledge of s — 1 shadows is insufficient to determine Kq, as Kq could 
be in any of the p congruence classes modulo p. 

We use an example to illustrate this threshold scheme. 

Example 8.21. Let K = 4 be the master key. We will use a (2, 3)-threshold scheme 
of the kind just described, with p = 7, m x = 11, m 2 = 12, and m 3 = 17, so that M = 
m x m 2 = 132 > pm 3 = 119. We pick t = 14 randomly from among the positive integers 
less than M/p = 132/1. This gives us 

Kq = K + tp = 4 + 14 • 7 = 102. 

The three shadows k h k 2 , and k 3 are the least positive residues of K 0 modulo m h m 2 , 
and m 3 ; that is, 

k x = 102 = 3 (mod 11) 
k 2 = 102 = 6 (mod 12) 
k 3 = 102 = 0 (mod 17), 
so that the three shadows are k x = 3, k 2 = 6, and k 3 = 0. 

We can recover the master key K from any two of the three shadows. Suppose we 
know that k x = 3 and k 3 = 0. Using the Chinese remainder theorem, we can determine 
Kq modulo m 1 m 3 = 1 1 • 17 = 187; in other words, because K 0 = 3 (mod 1 1) and K 0 = 0 
(mod 17), we have K 0 = 102 (mod 187). Because 0 < K 0 < M = 132 < 187, we know 
that K 0 = 102, and consequently the master key is K = K 0 — tp = 102 — 14 • 7 = 4. 

4 


For more details on secret sharing schemes, see [MevaVa97]. 


8.6 Exercises 

1. Using the Diffie-Hellman key agreement protocol, find the common key that can be used by 
two parties with keys k x = 27 and k 2 = 31 when the modulus is p = 103 and the base r = 5. 

2. Using the Diffie-Hellman key agreement protocol, find the common key that can be used by 
two parties with keys k x = l and k 2 = S when the modulus is p = 53 and the base is r = 2. 
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3 . What is the group key K that can be shared by three parties with keys k l = 3, k 2 = 10, and 

& 3 = 5, using the modulus p = 601 and base r = 7? 

4. What is the group key K that can be shared by four parties with keys k x = 11, k 2 = 12, k 3 = 17, 

and k 4 = 19, using the modulus p = 1009 and base r = 3? 

* 5. Describe the steps of a protocol that allows n parties to share a common key, as described in 

the text. 

6. Romeo and Juliethave as their RSA keys (5, 19 • 67) and (3, 11 • 71), respectively. 

a) Using the method in the text, what is the signed ciphertext message sent by Romeo to 
Juliet when the plaintext message is GOODBYE SWEET LOVE? 

b) Using the method in the text, what is the signed ciphertext message sent by Juliet to Romeo 
when the plaintext message is ADIEU FOREVER? 

7 . Harold and Audrey have as their RSA keys (3, 23 • 47) and (7, 31 • 59), respectively. 

a) Using the method in the text, what is the signed ciphertext sent by Harold to Audrey when 
the plaintext message is CHEERS HAROLD? 

b) Using the method in the text, what is the signed ciphertext sent by Audrey to Harold when 
the plaintext message is SINCERELY AUDREY? 

In Exercises 8 and 9, we present two methods for sending signed messages using the RSA cipher 
system, avoiding possible changes in block sizes. 

* 8. Let H be a fixed integer. Let each individual have two pairs of encrypting keys: k = ( e , n) 

and k* = (e, n*) with n < H <n*, where n and n* are each the product of two primes. Using 

the RSA cryptosystem, individual i can send a signed message P to individual j by sending 

E k *(D ki (P)). 

a) Show that it is not necessary to change block sizes when the transformation E k * is applied 
after D k . has been applied. 

b) Explain how individual j can recover the plaintext message P , and why no one other than 
individual i could have sent the message. 

c) Let individual i have encrypting keys (3, 11 • 71) and (3, 29 • 41), so that 781 = 11 • 
71 < 1000 < 1 189 = 29 • 41, and let individual j have enciphering keys (7, 19 • 47) and 
(7, 31 • 37), so that 893 = 19 • 47 < 1000 < 1147 = 31 • 37. What ciphertext message 
does individual i send to individual j using the method given at the beginning of this 
exercise when the signed plaintext message is HELLO ADAM? What ciphertext message 
does individual j send to individual i when the signed plaintext message is GOODBYE 
ALICE? 

* 9. a) Show that if individuals i and j have encrypting keys k t = (e h n t ) and kj = (ej, rij), 

respectively, where both n t and rij are products of two distinct primes, then individual i 
can send a signed message P to individual j without needing to change the size of blocks, 
by sending 


E kj (D k .(P)) if «,• <rij 
Dkj(E k .(P )) if rij < rij. 


b) How can individual j recover PI 

c) How can individual j guarantee that a message came from individual i? 
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d) Let k { = (11, 47 • 61) and kj = (13, 43 • 59). Using the method described in part (a), what 
does individual i send to individual j if the message is REGARDS FRED, and what does 
individual j send to individual i if the message is REGARDS ZELDA? 

10. Decompose the master key K = 5 into three shadows using a (2, 3)-threshold scheme of the 
type described in the text, with p = 7, m l = 1 1, m 2 = 12, m 3 = 17, and t = 14, as in Example 
8 . 21 . 

11. Decompose the master key K = 3 into three shadows using a (2, 3)-threshold scheme of the 
type described in the text, with p = 5, m x = 8, m 2 = 9, ra 3 = 11, and t = 13. 

12. Show how to recover the master key K from each of the three pairs of shadows found in 
Exercise 10. 

13. Show how to recover the master key K from each of the three pairs of shadows found in 
Exercise 11. 

14. Construct a (3, 5)-threshold scheme of the type described in the text. Use the scheme to 
decompose the master key K = 22 into five shadows, and show how the master key can be 
found using one set of three shadows so produced. 


.6 Computational and Programming Exercises 
Computations and Explorations 

1. Produce a set of common keys using a prime p with more than 100 digits. 

2. Produce some signed messages using the RSA cryptosystem and verify that these messages 
came from the supposed sender. 

3. Construct a (4, 6)-threshold scheme that decomposes a master key into six shadows. Distribute 
these shadows to six members of your class, and then select three different groups of four of 
these six people, reconstructing the key from the four shadows of the people in each group. 

Programming Projects 

1. Produce common keys for individuals in a network. 

2. Given a message, the encryption key (e, n{) of the recipient, and the decryption key (d, n 2 ) 
of the sender, sign and encrypt a message. 

3. Send signed messages using an RSA cipher and the method in Exercise 8. 

4. Send signed messages using an RSA cipher and the method in Exercise 9. 

5. Play electronic poker using encryption via modular exponentiation. 

6. Find the shadows in a threshold scheme of the type described in the text. 

7. Given a set of shadows for the threshold scheme described in the text, recover the master key. 
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I n this chapter, we will investigate the multiplicative structure of the set of integers 
modulo n, where n is a positive integer. First, we will introduce the concept of the order 
of an integer modulo n, which is the least power of the integer that leaves a remainder 
of 1 when it is divided by n. We will study the basic properties of the order of integers 
modulo n. A positive integer x, such that the powers of x run through all the integers 
modulo n, where n is a positive integer, is called a primitive root modulo n. We will 
determine for which integers n there is a primitive root modulo n. 

Primitive roots have many uses. For example, when an integer n has a primitive 
root, discrete logarithms (also called indices) of integers can be defined. These discrete 
logarithms enjoy many properties analogous to those of logarithms of positive real 
numbers. Discrete logarithms can be used to simplify computations modulo n. 

We will show how the results of this chapter can be used to develop primality tests 
that are partial converses of Fermat’s little theorem. These tests, such as Proth’s test, are 
used extensively to show that numbers of special forms are prime. We will also establish 
procedures that can be used to certify that an integer is prime. 

Finally, we will introduce the concept of the minimal universal exponent modulo n. 
This is the least exponent U for which x u = 1 (mod n ) for all integers x . We will develop 
a formula for the minimal universal exponent of n, and use this formula to prove some 
useful results about Carmichael numbers. 


9.1 The Order of an Integer and Primitive Roots 

In this section, we begin our study of the least positive residues modulo n of powers of 
an integer a relatively prime to n, where n is an integer greater than 1. We will start by 
studying the order of a modulo n, the exponent of the least power of a congruent to 
1 modulo n. Then, we will study integers a such that the least positive residues of the 
powers of a run through all positive integers less than n that are relatively prime to n. 
Such integers, when they exist, are called primitive roots of n. One of our major goals 
in this chapter will be to determine which positive integers have primitive roots. 

The Order of an Integer 

By Euler’s theorem, if n is a positive integer and if a is an integer relatively prime to n, 
then a ? ^ = 1 (mod n ). Therefore, at least one positive integer x satisfies the congruence 
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a x = 1 (mod n). Consequently, by the well-ordering property, there is a least positive 
integer x satisfying this congruence. 

Definition. Let a and n be relatively prime integers with a ^ 0 and n positive. Then 
the least positive integer x such that a x = 1 (mod n) is called the order of a modulo n 
and is denoted by by ord n a. 

This notation ord M a was introduced by Gauss in his Disquisitiones Arithmeticae in 
1801. Unlike much other notation used by Gauss, this notation remains in common use. 

Example 9.1. To find the order of 2 modulo 7, we compute the least positive residues 
modulo 7 of powers of 2. We find that 

2 1 = 2 (mod 7), 2 2 = 4 (mod 7), 2 3 = 1 (mod 7). 

Therefore, ord 7 2 = 3. 

Similarly, to find the order of 3 modulo 7, we compute 

3 1 = 3 (mod 7), 3 2 = 2 (mod 7), 3 3 = 6 (mod 7), 

3 4 = 4 (mod 7), 3 5 = 5 (mod 7), 3 6 = 1 (mod 7). 

We see that ord 7 3 = 6. ◄ 

To find all solutions of the congruence a x = 1 (mod n), we need the following 
theorem. 

Theorem 9.1. If a and n are relatively prime integers with a ^ 0 and n > 0, then a 
positive integer x is a solution of the congruence a x = 1 (mod n) if and only if ord n a \ x. 

Proof. If ord n a \ x, then x = k ■ ord n a, where A: is a positive integer. Hence, 

U* = fl *.ord„ a = ( fl ord n a )k = j (mod „) 

Conversely, if a x = 1 (mod n), we first use the division algorithm to write 
x = q • ord n a +r, 0 < r < ord n a. 

From this equation, we see that 

a x = a«- 0ldna+r = (a old " a )«a r = a r (mod n). 

Because a x = 1 (mod n), we know that a r = 1 (mod n). From the inequality 0 < r < 
ord n a, we conclude that r = 0 because, by definition, y = ord n a is the least positive 
integer such that a y = 1 (mod n). Because r = 0, we have x = q ■ ord n a. Therefore, 
ord n a | x. » 

Example 9.2. We can use Theorem 9. 1 and Example 9. 1 to determine whether x = 1 0 
and x = 15 are solutions of 2 X = 1 (mod 7). By Example 9.1, we know that ord 7 2 = 3. 
Because 3 does not divide 10, but 3 divides 15, by Theorem 9.1 we see that x = 10 is 
not a solution of 2 X = 1 (mod 7), but x = 15 is a solution of this congruence. ◄ 
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Theorem 9.1 leads to the following corollary. 

Corollary 9.1.1. If a and n are relatively prime integers with n > 0, then ord n a \ (p (n). 
Proof. Because (a, n) = 1, Euler’s theorem tells us that 

a <t>{n) _ ^ ( mo( j n ) 

Using Theorem 9. 1 , we conclude that ord n a | (p{n). m 

We can use Corollary 9.1.1 as a shortcut when we compute orders. The following 
example illustrates the procedure. 

Example 9.3. To find the order of 7 modulo 9, we first note that (p (9) = 6. Because 
the only positive divisors of 6 are 1, 2, 3, and 6, by Corollary 9.1.1 these are the only 
possible values of ord 9 7. Because 

7 1 = 7 (mod 9), 7 2 = 4 (mod 9), 7 3 = 1 (mod 9), 
it follows that orc^ = 3. ◄ 

Example 9.4. To find the order of 5 modulo 17, we first note that (p (17) = 16. Because 
the only positive divisors of 16 are 1, 2, 4, 8, and 16, by Corollary 9.1.1 these are the 
only possible values of ord 17 5. Because 

5 1 = 5 (mod 17), 5 2 = 8 (mod 17), 5 4 = 13 (mod 17), 

5 8 = 16 (mod 17), 5 16 = 1 (mod 17), 

we conclude that ord 17 5 =16. ◄ 

The following theorem will be useful in our subsequent discussions. 

Theorem 9.2. If a and n are relatively prime integers with n > 0, then a 1 = a 7 (mod 
n), where i and j are nonnegative integers, if and only if i = j (mod ord n a). 

Proof. Suppose that i = j (mod ord rt a) and 0 < j <i. Then we have i = j + k • ord n a, 
where k is a nonnegative integer. Hence, 

a* = a j+k -° ld » a = a j (a 0ld " a ) k = a j (mod n), 
because a ord n a = 1 (mod n). 

Conversely, assume that a 1 = a 7 (mod n) with i > j. Because (a, n) = 1, we know 
that (a 7 , n) = 1. Hence, using Corollary 4.4.1, the congruence 

a 1 — « 7 — a 7 a' -7 (mod n) 
implies, by cancellation of a 7 , that 

a' -7 = 1 (modn). 

By Theorem 9.1, it follows that ord n a divides i — j, or equivalently, i = j (mod 
ord n a). ■ 
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The next example illustrates the use of Theorem 9.2. 


Example 9.5. Let a = 3 and n = 14. By Theorem 9.2, we see that 3 5 = 3 11 (mod 14), 
but 3 9 # 3 20 (mod 14), because 0(14) = 6 and 5 = 11 (mod 6) but 9 #20 (mod 6). ◄ 


Primitive Roots 

Given an integer n, we are interested in integers a with order modulo n equal to 0(n), 
the largest possible order modulo n. As we will show, when such an integer exists, the 
least positive residues of its powers run through all positive integers relatively prime to 
n and less than n. 


Definition. If r and n are relatively prime integers with n > 0 and if ord w r = 0(n), 
then r is called a primitive root modulo n, or a primitive root of n, and we say that n has 
a primitive root. 


Example 9.6. We have previously shown that ord 7 3 = 6 = 0 (7). Consequently, 3 is a 
primitive root modulo 7. Likewise, because ord 7 5 = 6, as can easily be verified, 5 is also 
a primitive root modulo 7. ◄ 

Euler coined the term primitive root in 1773. His purported proof that every prime 
has a primitive root was incorrect, however. In Section 9.2, we will prove that every prime 
has a primitive root using the first correct proof of this result by Lagrange in 1 769. Gauss 
also studied primitive roots extensively and provided several additional proofs that every 
prime has a primitive root. 

Not all integers have primitive roots. For instance, there are no primitive roots 
modulo 8. To see this, note that the only integers less than 8 and relatively prime to 
8 are 1, 3, 5, and 7, and ord 8 l = 1 , while ord 8 3 = ord 8 5 = ord 8 7 = 2. Because 0 (8) = 4, 
there are no primitive roots modulo 8. 

Among the first 30 positive integers, 2, 3, 4, 5, 6, 7, 9, 10, 11, 13, 14, 17, 18, 
19, 22, 23, 25, 26, 27, and 29 have primitive roots, whereas 8, 12, 15, 16, 20, 21, 24, 28, 
and 30 do not (The reader can verify this information; see Exercises 3-6 at the end of 
this section, for example.) What can we conjecture based on this evidence? In this range, 
every prime has a primitive root (as Lagrange showed), as does every power of an odd 
prime (since 9 = 3 2 , 25 = 5 2 , and 27 = 3 3 have primitive roots), but the only power of 2 
that has a primitive root is 4. The other integers in this range with a primitive root are 
6, 10, 14, 18, 22, and 26. What do these integers have in common? Each is 2 times an 
odd prime or power of an odd prime. Using this evidence, we conjecture that a posi- 
tive integer has a primitive root if and only if it equals 2, 4, p*, or 2 p 1 , where p is an 
odd prime and t is a positive integer. Sections 9.2 and 9.3 are devoted to verifying this 
conjecture. 

To indicate one way in which primitive roots are useful, we give the following 
theorem. 
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Theorem 9.3. If r and n are relatively prime positive integers with n > 0 and if r is a 
primitive root modulo n, then the integers 

r\r 2 ,..., r* (w) 

form a reduced residue system modulo n. 

Proof. To demonstrate that the first 4>(n ) powers of the primitive root r form a reduced 
residue system modulo n, we need only show that they are all relatively prime to n and 
that no two are congruent modulo n . 

Because (r, n) = 1, it follows from Exercise 16 of Section 3.3 that (r k , n) = 1 for 
any positive integer k. Hence, these powers are all relatively prime to n. To show that no 
two of these powers are congruent modulo n, assume that 

r l — (mod w). 

By Theorem 9.2, we see that i = j (mod ord„r). Because r is a primitive root of n, 
ord„r = 4>(n), so that this congruence is the same as i = j (mod (f>(n)). However, for 
1 < i < <p(n ) and 1 < j < <p(n), the congruence i = j (mod <p(n)) implies that i = j. 
Hence, no two of these powers are congruent modulo n. This shows that we do have a 
reduced residue system modulo n . u 

Example 9.7. By Corollary 9.1.1, we know that ord 9 2 | <p(9) = 6. Hence, the only 
possible values for ord 9 2 are 1, 2, 3, and 6. Because none of 2 1 = 2, 2 2 = 4, and 2 3 = 8 
are congruent to 1 modulo 9, we conclude that ord 9 2 equals 6. This tells us that 2 is 
a primitive root modulo 9. So, by Theorem 9.3, the first (f)(9) =6 powers of 2 form a 
reduced residue system modulo 9. These are 2 1 = 2 (mod 9), 2 2 = 4 (mod 9), 2 3 = 8 
(mod 9), 2 4 = 7 (mod 9), 2 5 = 5 (mod 9), and 2 6 = 1 (mod 9). ◄ 

When an integer possesses a primitive root, it usually has many primitive roots. To 
demonstrate this, we first prove the following theorem. 

Theorem 9.4. If ord n a = t and if u is a positive integer, then 
ord„(a“) = t/(t, u). 

Proof. Let s = ord n (a“), v = (t, u), t = t\V, and u = u\V. By Theorem 3.6, we know 
that (t h u{) = 1. 

Because ^ = t/(t, u), we want to show that ord„ (a u ) = t h To do this, we will show 
that (a u ) tl = 1 (mod n), so that s/t h and that if (a u ) s = 1 (mod n ), then f \ s. First, note 
that 

(a“) fl = (a“i u ) (r/u) = (a f ) ttl = 1 (mod n), 
because ord„a = t. Hence, Theorem 9.1 tells us that s \ t x . 

On the other hand, because 

(a u ) s = a us = 1 (mod n), 

we know that t \ us. Hence, t\V \ u^vs and, consequently, 1 1 \ uis. Because (t\, u{) = 1, 
using Lemma 3.4, we see that q | s. 
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Now, because s | t { and t { \ s, we conclude that s = q = t/v = t/(t, u). This proves 
the result. ■ 

Example 9.8, By Theorem 9.4, we see that ord 7 3 4 = 6/ (6, 4) = 6/2 = 3, because we 
showed in Example 9.1 that ord 7 3 = 6. ◄ 

The following corollary of Theorem 9.4 tells us which powers of a primitive root 
are also primitive roots. 

Corollary 9.4.1. Let r be a primitive root modulo n, where n is an integer, n > 1. Then 
r u is a primitive root modulo n if and only if (u, (pin)) = 1. 

Proof. By Theorem 9.4, we know that 

ord n r u = ord n r/(u, ord n r) 

= 000 / 0 , (pin)). 

Consequently, ord n r u =<p(n), and r u is a primitive root modulo n if and only if 

O,0O)) = 1- ■ 

This leads immediately to the following theorem. 

Theorem 9.5. If a positive integer n has a primitive root, then it has a total of (p {(p (n)) 
incongruent primitive roots. 

Proof. Let r be a primitive root modulo n. Then Theorem 9.3 tells us that the integers 
r, r 2 , . . . , r^ {n) form a reduced residue system modulo n. By Corollary 9.4.1, we know 
that r u is a primitive root modulo n if and only if (u. 0 in)) — 1. Because there are exactly 
(p{(p{n)) such integers u, there are exactly 0(0(n ) ) primitive roots modulo n. m 

Example 9.9. Let n — 11. Note that 2 is a primitive root modulo 1 1 (see Exercise 5 at 
the end of this section). Because 1 1 has a primitive root, by Theorem 9.5 we know that 
11 has 0(0(11)) = 4 incongruent primitive roots. Because 0(11) = 10, by the proof of 
Theorem 9.5 we see that we can find these primitive roots by taking the least nonnegative 
residues of 2 1 , 2 3 , 2 7 , and 2 9 , which are 2, 8, 7, and 6, respectively. In other words, the 
integers 2, 6, 7, 8 form a complete set of incongruent primitive roots modulo 11. ◄ 


9.1 Exercises 

1. Determine the following orders. 

a) ord 5 2 b) ord 10 3 c) ord 13 10 d) ord 10 7 

2. Determine the following orders. 

a) ord n 3 b) ord 17 2 c)ord 21 10 d) ord 25 9 

3. Show that ord 3 2 = 2, ord 5 2 = 4, and ord 7 2 = 3. 

4. Show that ord 13 2 = 12, ord 17 2 = 8, and ord 241 2 = 12 

5. a) Show that 5 is a primitive root of 6. 

b) Show that 2 is a primitive root of 1 1. 
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6. Find a primitive root modulo each of the following integers. 

a) 4 c) 10 e) 14 

b) 5 d) 13 f) 18 

7. Show that the integer 12 has no primitive roots. 

8. Show that the integer 20 has no primitive roots. 

9. How many incongruent primitive roots does 14 have? Find a set of this many incongruent 
primitive roots modulo 14. 

10. How many incongruent primitive roots does 13 have? Find a set of this many incongruent 
primitive roots modulo 13. 

11. Show that if a is an inverse of a modulo n, then ord„a = ord„n. 

12. Show that if n is a positive integer and a and b are integers relatively prime to n such that 
(ord„a, ord n b) = 1, then ord„ (ab) = ord„a • ord n b. 

13. What can be said about ord n (ab) if a and b are integers relatively prime to n such that ord„a 
and ord n b are not necessarily relatively prime? 

14. Decide whether it is true that if n is a positive integer and d is a divisor of (pin), then there is 
an integer a with ord„a = d. Give reasons for your answer. 

15. Show that if a is an integer relatively prime to the positive integer m and ord m a = st, then 
ord m < 2 f — s. 

16. Show if m is a positive integer and a is an integer relatively prime to m such that ord m <a = 
m — 1, then m is prime. 

17. Show that r is a primitive root modulo the odd prime p if and only if r is an integer with 
( r , p) = 1 such that 

#.(p-i)/ 9 j (mod 

for all prime divisors q of p — 1. 

18. Show that if r is a primitive root modulo the positive integer m, then 7 is also a primitive root 
modulo m if r is an inverse of r modulo m. 

19. Show that oxd F l < 2 n+1 , where F n — 2 2 " + 1 is the nth Fermat number. 

* 20. Let p be a prime divisor of the Fermat number F n = 2 2 " + 1. 

a) Show that ord p 2 = 2" +1 . 

b) From part (a), conclude that 2 n+1 1 (p — 1), so that p must be of the form 2 n+l k + 1. 

21. Let m = a n — 1, where a and n are positive integers. Show that ord m a = n , and conclude that 
n | 4>{m). 

* 22. a) Show that if p and q are distinct odd primes, then pq is a pseudoprime to the base 2 if 

and only if ord ? 2 | (p — 1) and ord p 2 | (q — 1). 
b) Use part (a) to decide which of the following integers are pseudoprimes to the base 2: 
13-67, 19-73,23-89, 29-97. 

* 23. Show that if p and q are distinct odd primes, then pq is a pseudoprime to the base 2 if and 

only if M p M q — (2 P - \)(2 q - 1) is a pseudoprime to the base 2. 


Exercises 24 and 25 deal with a conjecture de Polignac made in 1849 that stated that for every 
odd integer k, there is a prime of the form 2 n + k where n is a positive integer. 
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24 . a) Show, using Exercise 3, that if n = 1 (mod 2), then 3 | 2" + 61, if n = 2 (mod 4), then 

5 | 2" + 61, and if n = 1 (mod 3), then 7 | 2" + 61. 

b) Conclude from part (a) that 2" + 61 is composite for all positive integers n with 0 or 
8 (mod 12). 

c) Find a positive integer n for which 2" + 61 is prime, using part (b) to help. 

25 . a) Use Exercises 3 and 4, together with Exercise 31 of Section 4.3, to show that if k is 

an integer with k = — 2 1 (mod 3), k = — 2 2 (mod 5), k = — 2 1 (mod 7), k = — 2 8 (mod 
13), fc = -2 4 (mod 17), and k = -2° (mod 241), then 2" + k is composite for all positive 
integers n. 

b) Use the Chinese remainder theorem to find a positive integer k for which 2" + k is 
composite for all positive integers, disproving de Polignac’s conjecture. 

There is an iterative method known as the cycling attack for decrypting messages that were 
encrypted by an RSA cipher, without knowledge of the decrypting key. Suppose that the public 
key ( e , n) used for encrypting is known, but the decrypting key (d, n ) is not. To decrypt a 
ciphertext block C, we form a sequence C 1( C 2 , C 3 , . . . , setting C x = C e (mod n), 0 < C x < n, 
and Cj +l = C e . (mod n), 0 < C J+1 < n for j = 1 , 2 , 3, 

26 . Show that Cj = C eJ (mod n), 0 < Cj < n. 

27 . Show that there is an index j such that Cj = C and Cj_ x = P, where P is the original plaintext 
message. Show that this index j is a divisor of ord^^e. 

28 . Let n = 47 • 59 and e = 17. Using iteration, find the plaintext corresponding to the ciphertext 
1504. 

(Note: This iterative method for attacking RSA ciphers is seldom successful in a reasonable 
amount of time. Moreover, the primes p and q may be chosen so that this attack is almost always 
futile. See Exercise 19 of Section 9.2.) 

Computations and Explorations 

1. Find ord 52 ) 5792 , ordg 2 g 2 93, and ordg 2 g 2 9l001. 

2 . Find as many integers as you can for which 2 is a primitive root. Do you think that there are 
infinitely many such integers? 

Programming Projects 

1. Find the order of a modulo m, when a and m are relatively prime positive integers. 

2 . Find primitive roots when they exist. 

3. Attempt to decrypt RSA ciphers by iteration (see the preamble to Exercise 26). 


9.2 Primitive Roots for Primes 

In this and the following section, our objective is to determine which integers have 
primitive roots. In this section, we show that every prime has a primitive root. To do 
this, we first need to study polynomial congruences. 
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Let fix) be a polynomial with integer coefficients. We say that an integer c is a root 
of f{x) modulo m if /(c) = 0 (mod m). It is easy to see that if c is a root of fix) modulo 
m, then every integer congruent to c modulo m is also a root. 

Example 9.10. The polynomial f(x)=x 2 + x + 1 has exactly two incongruent roots 
modulo 7, namely, x = 2 (mod 7) and x = 4 (mod 7). ◄ 

Example 9.11. The polynomial g(x) = x 2 + 2 has no roots modulo 5. ◄ 

Example 9.12. Fermat’s little theorem tells us that if p is prime, then the polyno- 
mial h(x) = x p ~ l — 1 has exactly p — 1 incongruent roots modulo p, namely, x = 
1, 2, 3, . . . , p — 1 (mod p). ◄ 

We will need the following important theorem concerning roots of polynomials 
modulo p where p is a prime. 

Theorem 9.6. Lagrange’s Theorem. Let fix) = a n x n + a n _\x n ~ l -\ — • + ape + a 0 
be a polynomial of degree n, n > 1, with integer coefficients and with leading coefficient 
a n not divisible by p. Then fix) has at most n incongruent roots modulo p. 

Proof We use mathematical induction to prove the theorem. When n = 1, we have 
fix) = ape + a 0 with p / a x . A root of fix) modulo p is a solution of the linear 
congruence ape = —a Q (mod p). By Theorem 4.10, because (a h p) = 1, this linear 
congruence has exactly one solution, so that there is exactly one root modulo p of fix). 
Clearly, the theorem is true for n = 1. 

Now suppose that the theorem is true for polynomials of degree n — 1, and let fix) 
be a polynomial of degree n with leading coefficient not divisible by p. Assume that 
the polynomial fix) has n + 1 incongruent roots modulo p, say, c 0 , c h ... , c n , so that 
fic k ) = 0 (mod p) for k = 0, 1, . . . , n. We have 

fix) - /(c 0 ) = a n ix n - c”) + a n _ x ix n ~ l - c£ _1 ) -| + a^x - c 0 ) 

= a n ix - c 0 )(x" _1 + x n ~ 2 c 0 -\ + xCq — 2 + c£ _1 ) 

+ a n _iix — Cq)(x" 2 + x n 3 c 0 + • • • + xCq 3 + Cq 2 ) 

+ • • • + a x ix - c 0 ) 

= (x - c 0 )g(x), 

where g(x) is a polynomial of degree n — 1 with leading coefficient a n . We now show 
thatcj, c 2 , ... ,c n are all roots of g(x) modulo p. Let k be an integer, 1 < k < n. Because 
/(c*;) = /(c 0 ) = 0 (mod p), we have 

f( c k ) “ f(c 0 ) = ( c k - c 0 )gic k ) = 0 (mod p). 

It follows that gick) = 0 (mod p), because c k — c 0 ^ 0 (mod p). Hence, c k is a root 
of gix) modulo p. This shows that the polynomial g(x), which is of degree n — 1 and 
has a leading coefficient not divisible by p, has n incongruent roots modulo p. This 
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contradicts the induction hypothesis. Hence, / (jc) must have no more than n incongruent 
roots modulo p. The induction argument is complete. ■ 

We use Lagrange’s theorem to prove the following result. 

Theorem 9.7. Let p be prime and let d be a divisor of p — 1. Then the polynomial 
x d — 1 has exactly d incongruent roots modulo p. 

Proof. Let p — 1 = de. Then 

x p - 1 - 1 = (x d - l)(x d ^~ l) + x d ' e - 2> + ■ ■ • + x d + 1) 

= (x d - l)g(*). 

From Fermat’s little theorem, we see thatx p_1 — 1 has p — 1 incongruent roots modulo 
p. Furthermore, any root of x p ~ l — 1 modulo p is either a root of x d — 1 modulo p or a 
root of g(x) modulo p. 

Lagrange’s theorem tells us that g(x) has at most d(e — 1) = p — d - 1 roots modulo 
p. Because every root of x p ~ x — 1 modulo p that is not a root of g(x) modulo p 
must be a root of x d — 1 modulo p, we know that the polynomial x d — 1 has at least 
{p — 1) — {p — d — 1) = d incongruent roots modulo p. On the other hand, Lagrange’s 
theorem tells us that it has at most d incongruent roots modulo p. Consequently, x d — 1 
has precisely d incongruent roots modulo p. m 

Theorem 9.7 can be used to prove a useful result that tells us how many incongruent 
integers have a given order modulo p. Before proving this result, we present a lemma 
needed for its proof. 

Lemma 9.1. Let p be a prime and let d be a positive divisor of p — 1. Then the number 
of positive integers less than p of order d modulo p does not exceed <f)(d). 

Proof. For each positive integer d dividing p — 1, let F(d) denote the number of 
positive integers of order d modulo p that are less than p. 

If F(d) = 0, it is clear that F(d) < <p(d). Otherwise, there is an integer a of order 
d modulo p. Because ord p a = d, the integers 


are incongruent modulo p. Furthermore, each of these powers of a is a root of x d — 1 
modulo p, because (a k ) d = (a d ) k = 1 (mod p) for all positive integers k. By Theorem 
9.7, we know thatx^ — 1 has exactly d incongruent roots modulo p, so every root modulo 
p is congruent to one of these powers of a. 

Now, by Theorem 9.4, we know that the powers of a with order d are those of the 
form a k with (&, d) = 1. There are exactly (f)(d) such integers k with 1 <k<d, and 
consequently, if there is one element of order d modulo p, there must be exactly (f)(d ) 
such positive integers less than p. Hence, F(d) <(p{d). ■ 

We now can determine how many incongruent integers can have a given order 
modulo p. 
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Theorem 9.8. Let p be a prime and let d be a positive divisor of p - 1. Then the number 
of incongruent integers of order d modulo p is equal to 0 id). 

Proof. For each positive integer d dividing p — 1, let F(d) denote the number of 
positive integers of order d modulo p that are less than p. Because the order modulo 
p of an integer not divisible by p divides p — 1, it follows that 

p-l= £ F(d). 

d\p-\ 

By Theorem 7.7, we know that 


p-i= Y. 

d\ P -i 

ByLemma9.1, F(d) < 4>(d) when J | (p — 1). Ibis inequality, together with the equality 
F(d ) = 

d\p-l d\p—\ 

implies that F (d) = 0 id) for each positive divisor d of p - 1. 

Therefore, we can conclude that F(d) =(p(d), which tells us that there are precisely 
0 id) incongruent integers of order d modulo p. a 

The following corollary is derived immediately from Theorem 9.8. 

Corollary 9.8.1. Every prime has a primitive root. 

Proof Let p be a prime. By Theorem 9.8, we know that there are <pip — 1) incongruent 
integers of order p - 1 modulo p. Because each of these is, by definition, a primitive 
root, p has <fiip — 1) primitive roots. ■ 

Note that Corollary 9.8.1 provides a nonconstructive existence proof of primitive 
roots modulo a prime. The smallest positive primitive root of each prime less than 1000 
is given in Table 3 of Appendix E; looking at the table, we see that 2 is the least primitive 
root of many primes p. Is 2 a primitive root for infinitely many primes? The answer to 
this question is not known, and it is also unknown when we replace 2 by an integer other 
than ± 1 or a perfect square. Evidence suggests the truth of the following conjecture made 
by Emil Artin. 

Artin’s conjecture. The integer a is a primitive root of infinitely many primes if 
a £ ±1 and a is not a perfect square. 

Although Artin’s conjecture has not been settled, there are some interesting partial 
results. For example, one consequence of work by Roger Heath-Brown is that there are 
at most two primes and three positive square-free integers a such that a is a primitive 
root of only finitely many primes. One implication of this work is that at least one of the 
integers 2, 3, and 5 is a primitive root for infinitely many primes. 
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Many mathematicians have studied the problem of determining bounds on g p , the 
smallest primitive root for a prime p. Among the results that have been proved are that 

S P > C log p 

for some constant C and infinitely many primes p. This result, proved by Fridlender (in 
1949), and independently by Salie (in 1950), shows thatthere are infinitely many primes 
where the least primitive root is larger than any particular positive integer. However, 
g p does not grow very quickly. Grosswald showed (in 1981) that if p is a prime with 
p > e® 24 , then g p < p 0A ". Another interesting result, proved in the problems section of 
the American Mathematical Monthly in 1984, is that for every positive integer M, there 
are infinitely many primes p such that M < g p < p — M. 


9.2 Exercises 

1. Find the number of incongruent roots modulo 11 of each of the following polynomials, 

a) x 2 + 2 b) x 2 + 10 c) x 3 + x 2 + 2x + 2 d) x 4 + x 2 + 1 

2. Find the number of incongruent roots modulo 13 of each of the following polynomials, 

a) x 2 + 1 b) x 2 + 3x + 2 c) x 3 + 12 d) x 4 + x 2 + x + 1 

3. Find the number of primitive roots of each of the following primes. 

a) 7 c) 17 e) 29 

b) 13 d) 19 f) 47 

4 . Find a complete set of incongruent primitive roots of 7. 

5. Find a complete set of incongruent primitive roots of 13. 

6. Find a complete set of incongruent primitive roots of 17 . 



EMIL ARTIN (1898-1962) was bom in Vienna, Austria. He served in the 
Austrian army during World War I. In 1921, he received a Ph.D. from the 
University of Leipzig, which he attended both as an undergraduate and as a 
graduate student. He attended the University of Gottingen from 1922 until 1923. 
In 1923, he was appointed to aposition at the University of Hamburg. Artin was 
forced to leave Germany in 1937 as a result of Nazi regulations because his wife 
was Jewish, although he was not. He emigrated to the United States, where he 
teughtatNotre Dame University (1937-1938), Indiana University (1938-1946), 
and Princeton University (1946-1958). He returned to Germany, taking a position at the University 
of Hamburg, in 1958. 

Artin made major contributions to several areas of abstract algebra, including ring theory and 
group theory. He also invented the concept of braid structures, defined using the concept of strings 
woven to form braids, now studied by topologists and algebraists. Artin made major contributions to 
both analytic and algebraic number theory, beginning with his research involving quadratic fields. 

Artin excelled as a teacher and advisor of students. He was also a talented musician who played 
the harpsichord, clavichord, and flute and was a devotee of old music. 
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7. Find a complete set of incongruent primitive roots of 19. 

8. Let r be a primitive root of the prime p with p= 1 (mod 4). Show that — r is also a primitive 
root. 

9. Show that if p is a prime and p = 1 (mod 4), then there is an integer x such that x 2 = — 1 
(mod p). (Hint: Use Theorem 9.8 to show that there is an integer jc of order 4 modulo p.) 

10. a) Find the number of incongruent roots modulo 6 of the polynomial jc 2 -jc. 
b) Explain why the answer to part (a) does not contradict Lagrange’s theorem. 

11. a) Use Lagrange’s theorem to show that if p is a prime and /(jc) is a polynomial of degree n 

with integer coefficients and more than n roots modulo p, then p divides every coefficient 
of /(jc). 

b) Let p be prime. Using part (a), show that every coefficient of the polynomial /(jc) = 
(jc — 1)(jc — 2) • • • (jc — p + 1) — x p ~ l + 1 is divisible by p. 

c) Using part (b), give a proof of Wilson’s theorem (Theorem 6.1). (Hint: Consider the 
constant term of /(jc).) 

12. Find the least positive residue of the product of a set of (p(p — 1) incongruent primitive roots 
modulo a prime p. 

* 13. A systematic method for constructing a primitive root modulo a prime p is outlined in 

this problem. Let the prime factorization of (p(p) = p — 1 be p — 1 = q^q^ ■ ■ • q 1 /, where 
q h q 2 , • • • , q r are prime. 

a) Use Theorem 9.8 to show that there are integers a x , a 2 , ... ,a r such that ord^ = q^, 
ord p a 2 = q%, ... , ord p a r = q 1 ;. 

b) Use Exercise 10 of Section 9. 1 to show that a = aia 2 • • • a r is a primitive root modulo p. 

c) Follow the procedure outlined in parts (a) and (b) to find a primitive root modulo 29. 

* 14. Suppose that the composite positive integer n has prime-power factorization n = p° l p 2 2 ■ • • 

p a r r . Show that the number of incongruent bases modulo n for which n is a pseudoprime to 
that base is rij=i( w ~ 1> Pj ~ !)• 

15. Use Exercise 14 to show that every odd composite integer that is not a power of 3 is a 
pseudoprime to at least two bases other than ±1. 

16. Show that if p is prime and p = 2q + 1, where q is an odd prime and a is a positive integer 
with 1 < a < p — 1, then p — a 2 is a primitive root modulo p. 

* 17. a) Suppose that /(jc) is a polynomial with integer coefficients of degree n — 1. Let jcj, jc 2 , 

. . . , jc„ be n incongruent integers modulo p. Show that for all integers jc, the congruence 

f(x) = X! /(*/) I> - x i)(*j ~ x i) ( mod P ) 


holds, where Xj — jc, is an inverse of Xj — jc, modulo p. This technique for finding /(jc) 
modulo p is called Lagrange interpolation. 

b) Find the least positive residue of /(5) modulo 1 1 if /(jc) is a polynomial of degree 3 with 
/(l) = 8, /(2) = 2, and /(3) = 4 (mod 1 1). 

18. In this exercise, we develop a threshold scheme for protection of master keys in a computer 
system, different from the scheme discussed in Section 8.6. Let /(jc) be a randomly chosen 
polynomial of degree r — 1, with the condition that K, the master key, is the constant term of 
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the polynomial. Let p be a prime, such that p > K and p > s. The s shadows k h k 2 , . . . , k s 
are computed by finding the least positive residue of f(Xj) modulo p for j = 1, 2, . . . , s, 
where jq, x 2 , . . . , x s are randomly chosen integers incongruent modulo p\ that is, 

kj = f (xj) (mod p), 0 <kj<p, 

for j = 1, 2 s. 

a) Use Lagrange interpolation, described in Exercise 17, to show that the master key K can 
be determined from any r shadows. 

b) Show that the master key K cannot be determined from fewer than r shadows. 

c) Let K = 33, p = 47, r = 4, and s = 7. Let /(*) = 4x 3 + x 2 + 31* + 33. Find the seven 
shadows corresponding to the values of f{x) at 1, 2, 3, 4, 5, 6, 7. 

d) Show how to find the master key from the four shadows /(l), f (2), /(3), and /( 4). 

19. Show that an RSA cipher with encrypting modulus n = pq is resistant to the cycling attack 
(see the preamble to Exercise 26 of Section 9.1) if p - 1 and q — 1 have large prime factors 
p' and q\ respectively, and p' — 1 and q' — 1 have large prime factors p" andg", respectively. 

Computations and Explorations 

1. Find the least primitive root for each of the primes 10,007, 10,009, and 10,037. 

2. Erdos has asked whether for each sufficiently large prime p there is a prime q for which q is a 
primitive root of p. What evidence can you find for this conjecture? For which small primes 
p is the statement in the conjecture false? 

Programming Projects 

1. Given a prime p, use Exercise 13 to find a primitive root of p. 

2. Implement the threshold scheme given in Exercise 18. 


9.3 The Existence of Primitive Roots 

In the previous section, we showed that every prime has a primitive root. In this section, 
we will find all positive integers having primitive roots. First, we will show that every 
power of an odd prime possesses a primitive root. 

Primitive Roots Modulo p 2 , p Prime The first step in showing that every power of 
an odd prime has a primitive root is to show that every square of an odd prime has a 
primitive root. 

Theorem 9.9. If p is an odd prime with primitive root r, then either r or r + p is a 
primitive root modulo p 2 . 

Proof. Because r is a primitive root modulo p, we know that 
ord p r =(f)(p) = p- 1. 
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Let n = ord p 2 r, so that 

r n = 1 (mod p 2 ). 

Because a congruence modulo p 2 obviously holds modulo p, we have 
r n = 1 (mod p). 

By Theorem 9.1, because p — 1 = ord p r, it follows that 
p-l\n. 

On the other hand, Corollary 9. 1. 1 tells us that 
n | <f)(p 2 ). 

Because 0(p 2 ) = p(p — 1), this implies that n \ p(p — 1). Because n \ p(p — 1) and 
p — 1 1 n, either n = p — lorn = p(p — 1). If n = p(p — 1), then r is a primitive root 
modulo p 2 , because ord p 2 r = <j)(p 2 ). Otherwise, we have n = p — 1, so that 

(9.1) r p_1 = 1 (mod p 2 ). 

Let s = r + p. Then, because s = r (mod p), s is also a primitive root modulo p. 
Hence, ord p 2 s equals either p — 1 or p(p — 1). We will show that ord p 2 s = p(p — 1) 
by eliminating the possibility that ord p 2 s = p — 1. 

To show that ord p 2 s ^ p — 1, first note that by the binomial theorem we have 

sP~ l = (r + pY~ l = r p ~ l + (p- 1 )r p ~ 2 p + (^ ~ + ••• + P p ~ l 

= r p ~ x + (p - l)p ■ r p ~ 2 (mod p 2 ). 

Hence, using (9.1), we see that 

s p ~ x = 1 + (p - 1 )p • r p ~ 2 = 1 - pr p ~ 2 (mod p 2 ). 

From this last congruence, we can show that 

s p -i j ( mo( i p 2 ’'). 

To see this, note that if s p ~ l = 1 (mod p 2 ), then pr p ~ 2 = 0 (mod p 2 ). This last congru- 
ence implies that r p ~ 2 = 0 (mod p), which is impossible because p / r (remember that 
r is a primitive root of p). 

Because ord p 2 s p — 1, we can conclude that ord p 2 s = p(p — 1) = (p (p 2 ). Con- 
sequently, s = r + p is a primitive root of p 2 . m 

Example 9.13. The prime p = 7 has r = 3 as a primitive root. Using observations made 
in the proof of Theorem 9.9, either ord 49 3 = 6 or ord 49 3 = 42. However, 

r p ~ 1 = 3 6 ^ 1 (mod 49). 

It follows that ord 49 3 = 42. Hence, 3 is also a primitive root of p 2 = 49. ◄ 
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We note that it is extremely rare for the congruence 
r p ~ x = 1 (mod p 2 ) 

to hold when r is a primitive root modulo the prime p with r < p. Consequently, it is very 
seldom that a primitive root r modulo the prime p is not also a primitive root modulo 
p 2 . When this occurs, Theorem 9.9 tells us that r + p is a primitive root modulo p 2 . The 
following example illustrates this. 

Example 9.14. Let p = 487. For the primitive root 10 modulo 487, we have 
10 486 = 1 (mod 487 2 ). 

Hence, 10 is not a primitive root modulo 487 2 but, by Theorem 9.9, we know that 
497 = 10 + 487 is a primitive root modulo 487 2 . ◄ 

Primitive Roots Modulo p k , p Prime and k a Positive Integer Next, we show that 
arbitrary powers of odd primes have primitive roots. 

Theorem 9.10. Let p be an odd prime. Then p k has a primitive root for all positive 
integers k. Moreover, if r is a primitive root modulo p 2 , then r is a primitive root modulo 
p k , for all positive integers k. 

Proof. By Theorem 9.9, we know that p has a primitive root r that is also a primitive 
root modulo p 2 , so that 

(9.2) r p ~ l £ 1 (mod p 2 ). 

Using mathematical induction, we will prove that for this primitive root r, 

(9.3) r P k ~Hp- 1) ^ i ( m od p k ) 
for all positive integers k, k > 2. 

Once we have established this incongruence, we can show that r is also a primitive 
root modulo p k by the following reasoning. Let 


By Corollary 9.1.1, we know that n | 0(p*).By Theorem7.3, wehave0(p*) = p k x (p — 
1). Hence, n \ p k (p - 1). On the other hand, because 

r n = 1 (mod p k ). 


we also know that 


r n = 1 (mod p). 

Because r is a primitive root modulo p, we have ord p r = f(p). By Theorem 7.2, we 
know that tp(p) = p — 1. It follows that ord p r = p — 1. Therefore, by Theorem 9.1, we 
see that p — 1 1 n. 
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Because p — 1 1 n, and n \ p k 1 (p - 1), we know that n = p\p — 1), where t is an 
integer such that 0<t <k— 1. If f < fc - 2, then 

r P k ~ 2 (P~ i) = (rP'tP-'Y * 1 = 1 (mod p k ), 

which would contradict (9.3). Hence, ord p * r = p k ~ 1 (p — 1) = (j)(p k ). Consequently, r 
is also a primitive root modulo p k . 

All that remains is to prove (9.3) using mathematical induction. The case of k = 2 
follows from (9.2). Let us assume that the assertion is true for the positive integer k>2. 
Then 

r p k 2 (p-l) i ( mod pky 

Because (r, p) = 1, we know that (r, p k ~ l ) = 1. Consequently, from Euler’s theorem, 
we know that 

r P k ~H P -V) = r <KP k ~ l ) - ! (mod pk- 1) 

Therefore, there is an integer d such that 

r P k - 2 (P-» = l + d p k -\ 

where p / d, because by hypothesis r pk ^ i (mod p k ). We take the pth power 
of both sides of the above equation to obtain, via the binomial theorem and using the 
hypothesis that p is odd, 

r P k ~H P -i) _ (1 + dp k ~ l ) p 

= 1 + p(dp k ~') + ^Vv 1 ) 2 + • ■ • + (dp’-y 

= 1 + dp k (mod p k+1 ). 

Because p / d, we can conclude that 

r pk ^ 1 (mod p k+1 ). 

This completes the proof by induction. ■ 

Example 9.15. By Example 9. 1 3, we know that r = 3 is a primitive root modulo 7 and 
7 2 . Hence, Theorem 9.10 tells us that r = 3 is also a primitive root modulo l k for all 
positive integers k. ◄ 

P ri m iti ve Roots and Powe rs of 2 It is now time to discuss whether there are primitive 
roots modulo powers of 2. We first note that both 2 and 2 2 = 4 have primitive roots, 
namely, 1 and 3, respectively. For higher powers of 2, the situation is different, as the 
following theorem shows; there are no primitive roots modulo these powers of 2. 
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Theorem 9.11. If a is an odd integer and k is an integer with k>3, then 

a 0 ( 2*)/2 __ a 2 k ~ 2 _ i (mod 2 k ). 

Proof. We prove this result using mathematical induction. Suppose that a is an odd 
integer. We can prove that it is true for k = 3 as follows. By Exercise 5 of Section 4.1, 
we have 

a 2 = 1 (mod 8). 

This is the desired congruence when k = 3 because 0 (2 3 ) = 4. 

Now, to complete the induction argument, let us assume that 
a 2k 2 = 1 (mod 2 k ). 

Then there is an integer d such that 

a 2l ~ 2 = l + rf-2*. 

Squaring both sides of the above equality, we obtain 

a 2k ~' = \ + d2 k+x + d 2 2 2k . 

This yields 

a 2kl = 1 (mod 2* +1 ), 

which completes the induction argument. ■ 

We can conclude by Theorem 9.11 that no power of 2, other than 2 and 4, has a 
primitive root. To see this, note that when a is an odd integer, ord 2 ka ^ 0(2*), because 

a < H 2 k )/2 _ J (mod 2*). 

Even though there are no primitive roots modulo 2* for k> 3, there always is an 
element of largest possible order, namely, 0(2*)/2, as the following theorem shows. 

Theorem 9.12. Let k > 3 be an integer. Then 

ord 2 * 5 = 0(2*)/2 = 2 k ~ 2 . 

Proof. Theorem 9.11 tells us that 

5 2 * 2 = 1 (mod 2*), 

for k > 3. By Theorem 9.1, we see that ord 2 * 5 | 2 k ~ 2 . Therefore, if we show that 
ord 2 * 5 / 2* -3 , we can conclude that 

ord 2 * 5 = 2 k ~ 2 . 

To show that ord 2 * 5 / 2*“ 3 , we will prove by mathematical induction that, for k> 3, 
5 2 * -3 = 1 + 2*" 1 # 1 (mod 2 k ). 
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For k = 3, we have 


5=1 + 4 (mod 8). 


Now, we assume that 

5 2 * -3 = 1 + 2* -1 (mod 2*). 

This means that there is an integer d such that 

5 2 * 3 = (1 + 2* _1 ) + d2 k . 

Squaring both sides, we find that 

5 2 * 2 = (1 + 2 k ~ 1 ) 2 + 2(1 + 2 k ~ l )d2 k + (d2 k ) 2 , 

so that 

5 2 * 2 = (1 + 2*' 1 ) 2 = 1 + 2 k + 2 2k ~ 2 =1 + 2* (mod 2* +1 ). 

This completes the induction argument and shows that 

ord 2 * 5 = 0(2*)/2. B 

Primitive Roots Modulo Integers Not Prime Powers We have now demonstrated 
that all powers of odd primes possess primitive roots, while the only powers of 2 having 
primitive roots are 2 and 4. Next, we determine which integers not powers of primes — 
that is, those integers divisible by two or more primes — have primitive roots. We will 
demonstrate that the only positive integers not powers of primes that possess primitive 
roots are twice powers of odd primes. 

We first narrow the set of positive integers that we must consider with the following 
result. 

Theorem 9.13. If n is a positive integer that is not a prime power or twice a prime 
power, then n does not have a primitive root. 

Proof Let n be a positive integer with prime-power factorization 
h h 

n = P1P2 '"Pm- 


Let us assume that the integer n has a primitive root r. This means that (r, n) — 1 
and ord n r = 0(n). Because (r, n) = 1, we know that (r, p f ) = 1, whenever p l is one of 
the prime powers occurring in the factorization of n. By Euler’s theorem, we know that 

r^ p,) = 1 (mod p'). 

Now, let U be the least common multiple of 0(pj 1 ), (pip 1 ^), . . . , (p(Pm), that is, 

U = [(Pip, 1 ), 0 (/ 4 2 )> • • - *(/£)]• 
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Because <p (//' ) | U, we know that 

r u = 1 (mod /?■') 

for i = 1, 2, . . . , m. Using Theorem 4.8, it now follows that 
r u = 1 (mod n), 

which implies that 

ord„r = <p(n) < U. 

By Theorem 7.4, because (p is multiplicative, we have 

(pin) =<P(plp% ■■■ p t ") = (pip^cpip^) • • • <p(p %). 

This formula for <p(n) and the inequality (p(n) < U imply that 

(p(Pi)<P(P%) ■ ■ ■ <KPn) < [<P(p\ l ), <KP2 ), • • • , < P(pfc)l 

Because the product of a set of integers is less than or equal to their least common 
multiple only if the integers are pairwise relatively prime (and then the “less than or 
equal to” relation is really just an equality), the integers (p(p^), (pip^), • • • , <P(Pm ) 
must be pairwise relatively prime. 

We note that <p (p 1 ) = p t_1 (p — 1), so that (p ( p f ) is even if p is odd, or if p = 2 and 
t >2. Hence, the numbers ^(pj 1 ), (pip^), ■ ■ ■ , <P(Pm) are not pairwise relatively prime 
unless m = 1 and n is a prime power, or m = 2 and n = 2p‘, where p is an odd prime 
and t is a positive integer. ■ 

We have now limited our consideration to integers of the form n = 2p‘, where p is 
an odd prime and t is a positive integer. We now show that all such integers have primitive 
roots. 

Theorem 9.14. If p is an odd prime and t is a positive integer, then 2p‘ possesses a 
primitive root. In fact, if r is a primitive root modulo p { , then if r is odd, it is also a 
primitive root modulo 2p‘\ whereas if r is even, then r + p* is a primitive root modulo 
2 P 1 . 

Proof. If r is a primitive root modulo p 1 , then 

r^ pt) = 1 (mod p f ), 

and no positive exponent smaller than (p (p‘) has this property. By Theorem 7.4, we note 
that (p(2p f ) = <p(2)<p (p*) =<p(p { ), so that = 1 (mod p l ). 

If r is odd, then 

r * ( 2p,) = 1 (mod 2). 

Thus, by Corollary 4.8.1, we see that r^ )( - 2p ^ = 1 (mod 2p t ). No smaller power of r 
is congruent to 1 modulo 2 p 1 . Such a power would also be congruent to 1 modulo p { , 
contradicting the assumption that r is a primitive root of p 1 . It follows that r is a primitive 
root modulo 2p‘. 
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On the other hand, if r is even, then r + p 1 is odd. Hence, 

(r + p 1 )*' (2pt) = 1 (mod 2). 

Because r + p 1 = r (mod p 1 ), we see that 

(r + p'/ (V) = 1 (mod p*). 

Therefore, (r + p t )^^ 2p ) = 1 (mod 2 p 1 ), and as no smaller power of r + p‘ is congruent 
to 1 modulo 2 p 1 , we see that r + p 1 is a primitive root modulo 2p l . m 

Example 9.16. Earlier in this section we showed that 3 is a primitive root modulo 7 r 
for all positive integers t. Hence, because 3 is odd, Theorem 9.14 tells us that 3 is also a 
primitive root modulo 2 • 7 1 for all positive integers t. For instance, 3 is a primitive root 
modulo 14. 

Similarly, we know that 2 is a primitive root modulo 5‘ for all positive integers t. 
Because 2 + 5* is odd, Theorem 9.14 tells us that 2 + 5* is a primitive root modulo 2 • 5 1 
for all positive integers t. For example, 27 is a primitive root modulo 50. ◄ 

Putting Everything Together Combining Corollary 9.8.1 and Theorems 9.10, 9.11, 
9.13, and 9.14, we can now describe which positive integers have a primitive root. 

Theorem 9.15. The positive integer n, n > 1, possesses a primitive root if and only if 
n = 2, 4, p\ or 2 p l , 

where p is an odd prime and t is a positive integer. 


Exercises 

1. Which of the integers 4, 10, 16, 22, and 28 have a primitive root? 

2. Which of the integers 8, 9, 1 2, 26, 27, 31 , and 33 have a primitive root? 

3. Find a primitive root modulo each of the following moduli, 

a) 3 2 b) 5 2 c) 23 2 d) 29 2 

4. Find a primitive root modulo each of the following moduli, 

a) ll 2 b)13 2 c)17 2 d)19 2 

5. Find a primitive root for all positive integers k modulo each of the following moduli, 

a) 3 k b)ll* c) 13* d) I7 k 

6. Find a primitive root for all positive integers k modulo each of the following moduli, 

a) 23* b) 29* c)31* d) 37* 

7. Find a primitive root modulo each of the following moduli, 

a) 10 b) 34 c) 38 d)50 

8. Find a primitive root modulo each of the following moduli, 

a) 6 b) 18 c) 26 d)338 
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9. Find all the primitive roots modulo 22. 

10. Find all the primitive roots modulo 25. 

11. Find all the primitive roots modulo 38. 

12. Show that there are the same number of primitive roots modulo 2p‘ as there are modulo p‘, 
where p is an odd prime and t is a positive integer. 

>• 13. Show that the integer m has a primitive root if and only if the only solutions of the congruence 
x 2 = 1 (mod m) are x = ±1 (mod m). 

* 14. Let n be a positive integer possessing a primitive root. Using this primitive root, prove that 

the product of all positive integers less than n and relatively prime to n is congruent to -1 
modulo n. (When n is prime, this result is Wilson’s theorem (Theorem 6.1).) 

* 15. Show that although there are no primitive roots modulo 2 k , where k is an integer, k> 3, every 

odd integer is congruent modulo 2 n to exactly one of the integers (- 1)“5^, where a = 0 or 1 
and ft is an integer satisfying 0 < fi < 2 k ~ 2 — 1. 

16. Find the smallest odd prime p that has a primitive root r that is not also a primitive root 
modulo p 2 . 

Computations and Explorations 

1. Find as many examples as you can where r is a primitive root of the prime p but r is not a 
primitive root of p 2 . Can you make any conjectures about how often this occurs? 

Programming Projects 

1. Find primitive roots modulo powers of odd primes. 

2. Find primitive roots modulo twice powers of odd primes. 


9.4 Discrete Logarithms and Index Arithmetic 

In this section, we demonstrate how primitive roots may be used to do modular arithmetic. 
Let r be a primitive root modulo the positive integer m (so that m is of the form described 
in Theorem 9.15). By Theorem 9.3, we know that the integers 

r, r 2 , r 3 , . . . , r^ m) 

form a reduced system of residues modulo m . From this fact, we see that if a is an integer 
relatively prime to m, then there is a unique integer jc with 1 < x <(f)(m ) such that 

r x = a (mod m). 

This leads to the following definition. 

Definition. Let m be a positive integer with primitive root r, and let a be a positive 
integer with (a, m) = 1. The unique integer x with 1 < x < 0(m) and r x = a (mod m ) 
is called the index (or discrete logarithm ) of a to the base r modulo m and is denoted by 
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ind r a, where we do not indicate the modulus m in the notation, as we assume it to be 
fixed. 

From the definition, we see that r mdrfl = a (mod m). We also observe that if a and b are 
integers relatively prime to m, then a = b (mod m) if and only if ind r a = ind r b. 

Indices share many properties of logarithms, but with equalities replaced with 
congruences modulo <p(m) (that is why they are called discrete logarithms). 

Example 9.17. Let m = 7. We have seen that 3 is a primitive root modulo 7 and that 
3 1 = 3 (mod 7), 3 2 = 2 (mod 7), 3 3 = 6 (mod 7), 3 4 = 4 (mod 7), 3 5 = 5 (mod 5), and 
3 6 = 1 (mod 7). 

Hence, modulo 7, we have 

ind 3 l = 6, ind 3 2 = 2, ind 3 3 = 1, 
ind 3 4 = 4, ind 3 5 = 5, ind 3 6 = 3. 

With a different primitive root modulo 7, we obtain a different set of indices. For instance, 
calculations show that with respect to the primitive root 5, 
ind 5 l = 6, ind 5 2 = 4, ind 5 3 = 5, 

ind 5 4 = 2, ind 5 5 = 1, ind 5 6 = 3. < 

Properties of Indices We now develop properties of indices, modulo m similar to 
those of logarithms, but instead of equalities, we have congruences modulo 4> (m). 

Theorem 9.16. Let m be a positive integer with primitive root r, and let a and b be 
integers relatively prime to m. Then 

(i) ind^ = 0 (mod <f> (m)), 

(ii) ind r (ab) = ind r a + ind r b (mod (p(m)), 

(iii) ind r a k = k • ind r a (mod 0(m)) if k is a positive integer. 

Proof of (i). From Euler’s theorem, we know that = 1 (mod m). Because r is a 
primitive root modulo m, no smaller positive power of r is congruent to 1 modulo m. 
Hence, ind^ = <p(m) = 0 (mod <p(m)). 

Proof of (ii). To prove this congruence, note that from the definition of indices, 

r md r (ab) _ ^ 

and 

r ind r a+md r b = ^ind r a . r ind r b = ab (mod m) 

Hence, 

r ind r (ai) = r md r a+md r b (mod w) 

Using Theorem 9.2, we conclude that 

ind r (ab) = ind r a + ind r b (mod <p(m)). 
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Proof of (iii). To prove the congruence of interest, first note that by definition, we have 

r md r a* = a k ( mod m ) 

and 

r k-md r a = ^md r a^k ( moc i m ) 

Hence, 

r md r a^ r k.md r a (mod m y 

Using Theorem 9.2, this leads us immediately to the congruence we want, namely, 

ind r a* = k • ind r a (mod 0(m)). B 

Example 9.18. From the previous examples, we see that, modulo 7, ind 5 2 = 4 and 
ind 5 3 = 5. Because 0(7) = 6, part (ii) of Theorem 9.16 tells us that 

ind 5 6 = ind 5 (2 • 3) = ind 5 2 + ind 5 3 = 4 + 5 = 9 = 3 (mod 6). 

Note that this agrees with the value previously found for ind 5 6. 

From part (iii) of Theorem 9.16, we see that 

ind 5 3 4 = 4 • ind 5 3 = 4 • 5 = 20 = 2 (mod 6). 

Note that direct computation gives the same result, because 

ind 5 3 4 = ind 5 8 1 = ind 5 4 = 2. ◄ 

Indices are helpful in the solution of certain types of congruences. Consider the 
following examples. 

Example 9.19. We will use indices to solve the congruence 6x 12 = 11 (mod 17). We 
find that 3 is a primitive root of 17 (because 3 8 = — 1 (mod 17)). The indices of integers 
to the base 3 modulo 17 are given in Table 9.1. 


a 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

ind 3 a 

16 

14 

1 

12 

5 

15 

11 

10 

2 

3 

7 

13 

4 

9 

6 

8 


Table 9.1 Indices to the base 3 modulo 17. 


Taking the index of each side of the congruence to the base 3 modulo 17, we obtain 
a congruence modulo 0(17) = 16, namely, 

ind 3 (6x 12 ) = ind 3 ll = 7 (mod 16). 

Using parts (ii) and (iii) of Theorem 9.16, we obtain 

ind 3 (6x 12 ) = ind 3 6 + ind 3 (x 12 ) = 15 + 12 • ind 3 x (mod 16). 
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Hence, 


or 


15 + 12 • ind 3 x = 7 (mod 16) 


12 • ind 3 x = 8 (mod 16). 

From this congruence, it follows (as the reader should show) that 
ind 3 x = 2 (mod 4). 


Hence, 


ind 3 x = 2, 6, 10, or 14 (mod 16). 

Consequently, from the definition of indices, we find that 

jc = 3 2 , 3 6 , 3 10 , or 3 14 (mod 17). 

(Note that this congruence holds modulo 17). Because 3 2 = 9, 3 6 = 15, 3 10 = 8, and 
3 14 = 2 (mod 17), we conclude that 

x = 9, 15, 8, or 2 (mod 17). 

Because each step in the computations is reversible, there are four incongruent solutions 
of the original congruence modulo 17. ◄ 


Example 9.20. We wish to find all solutions of the congruence l x = 6 (mod 17). When 
we take indices to the base 3 modulo 17 of both sides of this congruence, we find that 

ind^*) = ind 3 6 =15 (mod 16). 

By part (iii) of Theorem 9.16, we obtain 

ind^*) = x • ind 3 7 = llx (mod 16). 

Hence, 

1 lx = 15 (mod 16). 

Because 3 is an inverse of 1 1 modulo 16, we multiply both sides of the linear congruence 
above by 3, to find that 

jc = 3- 15 = 45 = 13 (mod 16). 

All steps in this computation are reversible. Therefore, the solutions of 
T =6 (mod 17) 

are given by 


jc = 13 (mod 16). 
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The Difficulty of Finding Discrete Logarithms 

Given a prime p and a primitive root r, the problem of finding the index (discrete 
logarithm) of an integers to the base r modulo p is called the discrete logarithm problem. 
This problem is believed to be as computationally difficult as that of factoring integers. 
For this reason, it has been used as the basis for several public key cryptosystems, such as 
the ElGamal cryptosystem discussed in Section 10.2, and protocols, such as the Diffie- 
Hellman key agreement scheme discussed in Section 8.3. With the growing importance 
of the discrete logarithm problem in cryptography, a great deal of research has been 
devoted to constructing efficient algorithms for computing discrete logarithms. The most 
efficient algorithm known for computing discrete logarithms is the number-field sieve 
method, which requires approximately the same number of bit operations to find discrete 
logarithms modulo a prime p as it would to factor a composite number of about the same 
size as p. To determine how long it takes to solve the discrete logarithm problem modulo 
a prime p, consult Table 3.2, which shows how long it takes to factor an integer n of the 
same number of decimal digits as p. For more information about the discrete logarithm 
problem, and algorithms for solving it, consult [MevaVa97] and the many references 
cited there. 

Power Residues 

Indices are also helpful for studying congruences of the form x k = a (mod m), where m is 
apositive integer with a primitive root and (a, m) = 1. Before we study such congruences, 
we present a definition. 

Definition. If m and k are positive integers and a is an integer relatively prime to m, 
then we say that a is a kth power residue ofm if the congruence x k = a (mod m) has a 
solution. 

When m is an integer possessing a primitive root, the following theorem gives a 
useful criterion for an integer a relatively prime to m to be a kth power residue of m. 

Theorem 9.17. Let m be a positive integer with a primitive root. If k is a positive 
integer and a is an integer relatively prime to m, then the congruence x k = a (mod m) 
has a solution if and only if 

a^/d = 1 (mod m), 

where d = (k, 0(m)). Furthermore, if there are solutions of x k = a (mod m), then there 
are exactly d incongruent solutions modulo m. 

Proof. Let r be a primitive root of m. We note that the congruence 

x k = a (mod m) 

holds if and only if the indices to the base r of the two sides of this congruence are 
congruent modulo 0(m). Consequently, the previous congruence holds if and only if 


(9.4) 


k • ind r x = ind r a (mod 0(m)). 
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Now let d = (k, and y = ind r x, so that x =r y (mod m). By Theorem 4.10, we 

note that if d / ind r a, then the linear congruence 

(9.5) ky = ind r a (mod (j)(m)) 

has no solutions and, hence, there are no integers x satisfying (9.4). If d | ind r a, then 
there are exactly d integers y incongruent modulo 0 (m) such that (9.5) holds and, hence, 
exactly d integers x incongruent modulo m such that (9.4) holds. Because d | ind,. a if 
and only if 

(<p(m)/d)ind r a = 0 (mod 0(m)), 
and this congruence holds if and only if 

a 0(m)Af = j (mod m)> 


the theorem is true. ■ 

We note that Theorem 9.17 tells us that if p is a prime, £ is a positive integer, and a 
is an integer relatively prime to p, then a is a kth power residue of p if and only if 

a (p-i)/d _ i ( mod 

where d = {k, p — 1). We illustrate this observation with an example. 

Example 9.21. To determine whether 5 is a sixth power residue of 17, that is, whether 
the congruence 

x 6 = 5 (mod 17) 

has a solution, we determine that 

5 16 /( 6 , 16 ) = 5 8 ^_ 1(mod 1?) 

Hence, 5 is not a sixth power residue of 17. ◄ 

A table of indices with respect to the least primitive root modulo each prime less 
than 100 is given in Table 4 of Appendix E. 

Proving Theorem 6.1 0 This proof of Theorem 6.10 is quite long and complicated, 
but is based only on results already established. We present this proof to give the reader 
an indication that even elementary proofs can be difficult to create and hard to follow. As 
you read this proof, follow each part carefully and check each separate case. We restate 
Theorem 6.10 for convenience. 

Theorem 6.10. If n is an odd composite positive integer, then n passes Miller’s test for 
at most ( n — l)/4 bases b with 1 < b < n — 1. 

We need the following lemma in the proof. 

Lemma 9.2. Let p be an odd prime and let e and q be positive integers . Then the number 
of incongruent solutions of the congruence x q = 1 (mod p e ) is (q, p e ~ l {p — 1)). 
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Proof. Let r be a primitive root of p e . By taking indices with respect to r, we see 
that x q 1 (mod p e ) if and only if qy = 0 (mod 4>{p e )), where y = ind r x. Using 
Theorem 4.10, we see that there are exactly ( q , 4>{p e )) incongruent solutions of qy = 
0 (mod (p(p e )). Consequently, there are (q, 4>(p e )) = (q, p e ~ l (p — 1)) incongruent so- 
lutions of x q = 1 (mod p e ). » 

We now proceed with a proof of Theorem 6.10. 

Proof. Let n — 1 = 2 s t, where s is a positive integer and t is an odd positive integer. 
For n of Theorem 6.10 to be a strong pseudoprime to the base b, either 

b* = 1 (mod n) 


or 

b 2Jt = -1 (mod n) 

for some integer j with 0 < j < s — 1. In either case, we have 
b n ~ l = l(modn). 

Let the prime-power factorization of n be n = p^p^ • • • pf. By Lemma 9.2, we 
know that there are (n — 1, pJiPj — 1)) = (n — 1, pj — 1) incongruent solutions of 
x n ~ l = 1 (mod pj), j = 1, 2, . . . , r. Consequently, the Chinese remainder theorem tells 
us that there are exactly ]lj=i( n — 1’ Pj ~ 1) incongruent solutions of x” 1 = l(modn). 
We consider two cases. 

Case (i). We first consider the case where the prime-power factorization of n contains 
a prime power pj with exponent e k > 2. Because 

(P* - D/P? = (1/P? _1 ) - (VP?) < 2/9 
(the largest possible value occurs when pj = 3 and ej = 2), we see that 

f](n - 1, Pj - 1) < Y](Pj ~ 1) 

s (n»)(M 


Because |n < j(n — 1) forn > 9, it follows that 

f](n - 1, Pj - 1) < (n - l)/4. 
;= i 
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Consequently, there are at most ( n — l)/4 integers b, 1 < b < n, for which n is a strong 
pseudoprime to the base b. 

Case (ii). Now we consider the case where n = pip 2 ■ ■ ■ p r , where p\, p 2 , ■ ■ ■ , p r are 
distinct odd primes. Let 


Pi — 1 = 2 s 'ti, i = 1, 2, . . . , r, 

where s { is a positive integer and t { is an odd positive integer. We reorder the primes 
Pb Pi, ■■■, p r (if necessary) so that s x < s 2 < • • • < s r . We note that 


(n - 1, Pi - 1) = 2 min(s ’ s ')(L ti). 

The number of incongruent solutions of x‘ = 1 (mod p,) is 7} = ( t , f,). From Exercise 
22 at the end of this section, there are 2* T { incongruent solutions of x 21t = — 1 (mod p ( ) 
when 0< Si — 1, and no solutions otherwise. Hence, using the Chinese remainder theo- 
rem, there are T X T 2 • • • T r incongruent solutions of x ( = 1 (mod n), and 2 ; 'T 1 r 2 • • • T r 
incongruent solutions of x 2 ^ = — 1 (mod n ) when 0 < j < Si — l. Therefore, there are a 
total of 


m '-t, |^ 1 + E 2ir j = r ' r 2 • •• ^ (i + ^rzf) 

integers b, with 1 < b < n — 1, for which n is a strong pseudoprime to the base b. 
Now we note that 

(P(n) = ( Pl - l)(p 2 - 1) • • • {p r - 1) = t x t 2 • • • t r 2 s ' +s *+- +s '. 

We will show that 


/ 2 rSl - 1 \ 

T l T 2 --T r ^l+— -)<<P(n)/4, 

which proves the desired result. Because T{T 2 • • • T r < t]t 2 • • • t r , we can achieve our 
goal by showing that 


(9.6) ^1 + / 2 J i +J 2+- +J ' < 

Because < • • • < ^ r , we see that 
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( 1+ ffr)/ 2S ' +,2+ ^ s ( 1+ f^)/ ri ‘ 

I 2™i - 1 
~~ 2 rs i + 2 rs i(2 r - 1 ) 

II 1 

~2^l + 2 r - 1 ” 2 rs i(2 r - 1) 

1 2 r - 2 
~ 2 r - 1 + 2 rs i(2 r - 1) 

1 

< . 

- 2 r~ 1 

From this inequality, we conclude that (9.6) is valid when r > 3. 

When r = 2, we have n = p^, with pi - 1 = 2*^ and p 2 — 1 = 2 S2 t 2 , with ^ < s 2 . 
If 5! < s 2 , then (9.6) is again valid, because 

(i + 2^) /(&' ■ 

= G + F2^)/ 2S2 -'‘ 

< 

“ 4 

When si = s 2 , we have (n — l, p\— 1) = 2 s 7\ and (n — 1, p 2 — 1) = 2 s T 2 . Let us assume 
that pi > p 2 . Note that T x / t h for if T x = t h then (pi — 1) | (n — 1), so that 

n = PiPi = Pi = 1 (mod pi - 1), 

which implies that p 2 > p h a contradiction. Because 7\ ^ t h we know that 7\ < t]/3. 
Similarly, if pi < p 2 , then T 2 ^ t 2 , so that T 2 < t 2 / 3. Hence, T{T 2 < qt 2 /3, and because 
(l+2^)/2*.<i wehave 

Tir 2 (l + ^=4) < ht 2 2^/6 = <Hn)/ 6, 

proving the theorem for this final case, since 4>(n)/6 < (n — l)/6 < (n — l)/4. ■ 

By analyzing the inequalities in the proof of Theorem 6.10, we can see that the 
probability that n is a strong pseudoprime to the randomly chosen base b,\<b <n — 1, 
is close to 1/4 only for integers n with prime factorizations of the form n = PiP 2 , with 
Pi = 1 + 2 qi and p 2 = 1 + 4 q 2 , where qi and q 2 are odd primes, or n = <7i< 7 2 <7 3 , with 
P! = 1 + 2 < 7 ], p 2 = 1 + 2 q 2 , and p 3 = 1 + 2q 3 , where q h q 2 , and q 3 are distinct odd 
primes (see Exercise 23). 
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9.4 Exercises 

1. Write out a table of indices modulo 23 with respect to the primitive root 5. 

2. Find all the solutions of the following congruences, 
a) 3x 5 = 1 (mod 23) b) 3 jc 14 = 2 (mod 23) 

3. Find all the solutions of the following congruences, 

a) 3* = 2 (mod 23) b) 13* = 5 (mod 23) 

4. For which positive integers a is the congruence ax 4 = 2 (mod 13) solvable? 

5. For which positive integers b is the congruence 8 jc 7 = b (mod 29) solvable? 

6. Find the solutions of 2* = x (mod 13), using indices to the base 2 modulo 13. 

7. Find all the solutions of x x = x (mod 23). 

8. Show that if p is an odd prime and r is a primitive root of p, then ind r (p — 1) = (p — l)/2. 

9. Let p be an odd prime. Show that the congmence jc 4 = — 1 (mod p) has a solution if and only 
if p is of the form 8 k + 1. 

10. Prove that there are infinitely many primes of the form 8k + 1. (Hint: Assume that p h p 2 , . . . , 
p n are the only primes of this form. Let Q = (2p h p 2 • ■ • p n ) k + 1. Show that Q must have 
an odd prime factor different than p\, p 2 , . . . , p n and, by Exercise 9, necessarily of the form 
Sk + l.) 

By Exercise 15 of Section 9.3, we know that if a is an odd positive integer, then there are unique 
integers a and p with a = 0 or 1 and 0 < P < 2 k ~ 2 - 1 such that a = (-1)“5^ (mod 2 k ). Define 
the index system of a modulo 2 k to be equal to the pair (a, P). 

11. Find the index system of 7 and 9 modulo 16. 

12. Develop rules for the index systems modulo 2 k of products and powers, analogous to the rules 
for indices. 

13. Use the index system modulo 32 to find all solutions of lx 9 = 11 (mod 32) and 3* = 17 (mod 
32). 

Letn = 2 to p‘i p 2 • • • p l ™ be the prime-power factorization of n . Let a be an integer relatively prime 
to n. Let r h r 2 , . . . , r m be primitive roots of p|‘, p 2 , . . . , p‘™, respectively, and let y\ = ind ri a 
(mod 0(/9j)), y 2 = ind r2 a (mod <P(p 2 )), . . . , y m = ind^a (mod <p(p^ '))■ If to < 2, let r 0 be a 
primitive root of 2‘°, and let y 0 = ind rQ a (mod 0(2*°)). If t 0 > 3, let (a, f) be the index system 
of a modulo 2 k , so that a = (— 1)“5^ (mod 2 k ). Define the index system of a modulo n to be 
(n>> Yb Y 2 i • • • > Y m ) if t 0 < 2 and (a, p, y h y 2 , . . . , y m ) if t Q > 3. 

14. Show that if n is a positive integer, then every integer has a unique index system modulo n. 

15. Find the index systems of 17 and 41 (mod 120) (in your computations, use 2 as a primitive 
root of the prime factor 5 of 120). 

16. Develop rules for the index systems modulo n of products and powers, analogous to those 
for indices. 

17. Use an index system modulo 60 to find the solutions of 1 Ijc 7 = 43 (mod 60). 
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18. Let p be a prime, p > 3. Show that if p = 2 (mod 3), then every integer not divisible by 3 is a 
third-power, or cubic, residue of p, whereas if p = 1 (mod 3), an integer a is a cubic residue 
of p if and only if a^ _1 )/3 = 1 (mod p). 

19. Let e be a positive integer with e > 2. Show that if k is an odd positive integer, then every 
odd integer a is a kth power residue of 2 e . 

* 20. Let e be a positive integer with e > 2. Show that if k is even, then an integer a is a fcth power 

residue of 2 e if and only if a = 1 (mod (4k, 2 e )). 

* 21. Let e be a positive integer with e>2. Show that if k is a positive integer, then the number of 

incongruent kth power residues of 2 e is 

2*" 1 

(k, 2)(k, 2 e ~ 2 ) ' 

>■ 22. Let p be an odd prime and let N = 2- y w be a positive integer, with j a nonnegative integer and 
u an odd positive integer, and let p — 1 = 2 s t, where s and t are positive integers with t odd. 
Show that there are 2 J ( t , u) incongruent solutions of jc^ = — 1 (mod p) if 0 < j < s — 1, and 
no solutions otherwise. 

* 23. a) Show that the probability that n is a strong pseudoprime for a base b randomly chosen 

with \ <b <n — lis near 1/4 only when n has a prime factorization of the form n = p x p 2 , 
where p x = 1 + 2q x and p 2 = 1 + 4 q 2 , with q x and q 2 prime, orn = P\P 2 Pi, where 
p x = l + 2 q h p 2 = 1 + 2q 2 , and p 3 = \ + 2 q 3 , with q h q 2 , q 3 distinct odd primes, 
b) Find the probability that n = 49,939 • 99,877 is a strong pseudoprime to the base b 
randomly chosen with 1 < b < n — 1. 

Computations and Explorations 

1. Find integers n for which the probability that n is a strong pseudoprime to the randomly 
chosen base b,\<b<n—\,t& close to 1/4. 

Programming Projects 

1. Construct a table of indices modulo a particular primitive root of an integer. 

2. Using indices, solve congruences of the form ax b = c (mod m), where a, b, c, and m are 
integers with c > 0, m > 0, and where m has a primitive root. 

3. Find kth power residues of a positive integer m having a primitive root, where £ is a positive 
integer. 

4. Find index systems modulo powers of 2 (see the preamble to Exercise 1 1). 

5. Find index systems modulo arbitrary positive integers (see the preamble to Exercise 14). 


9.5 Primality Tests Using Orders of Integers and Primitive Roots 

In Chapter 6, we saw that the converse of Fermat’s little theorem is not true. Fermat’s 
little theorem tells us that if p is prime and a is an integer with (a, p) = 1, then a p ~ l = 1 
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(mod p). Even if a n ~ 1 = 1 (mod n), where a is a positive integer, n may still be composite. 
Although the converse of Fermat’s little theorem is not true, can we establish partial 
converses? That is, can we add hypotheses to the converse to make it true? 

In this section, we will use the concepts developed in this chapter to prove some 
partial converses of Fermat’s little theorem. We begin with a result known as Lucas’s 
converse of Fermat’s little theorem. This result was proved by French mathematician 
Edouard Lucas in 1876. 

Theorem 9.18. Lucas’s Converse of Fermat’s Little Theorem. If n is a positive 
integer and if an integer x exists such that 

x M_1 = 1 (mod n) 


and 

*(»-!)/? # l(modn) 

for all prime divisors q of n — 1, then n is prime. 

Proof Because x n ~ l = 1 (mod n), Theorem 9.1 tells us that ord n x | (n — 1). We will 
show that ord n x = n — 1. Suppose that ord n x / n — 1. Because ord n x | (n — 1), there is 
an integer k with n — l = k ■ ord n x, and because ord n x — 1, we know that k > 1. Let 
q be a prime divisor of k. Then 

x (n-D/q = x (k-ord n x)/q) = ^ord „*)(*/?) = j (mod 

However, this contradicts the hypotheses of the theorem, so we must have ord n x = n — 1. 
Now, because ord n x < f(n) and <p(n) <n — 1, it follows that (j> (n) = n — 1. By Theorem 
7.2, we know that n must be prime. ■ 

Note that Theorem 9. 1 8 is equivalent to the fact that if there is an integer with order 
modulo n equal to n — 1, then n must be prime. We illustrate the use of Theorem 9.18 
with an example. 

Example 9.22. Let n = 1009. Then 1 1 1008 = 1 (mod 1009). The prime divisors of 1008 
are 2, 3, and 7. We see that U ms / 2 = 1 1 504 = — 1 (mod 1009), ll 1008 / 3 = ll 336 = 374 
(mod 1009), and 1 1 1008 / 7 = 1 1 144 = 935 (mod 1009). Hence, by Theorem 9. 18, we know 
that 1009 is prime. ◄ 

The following corollary of Theorem 9.18 gives a slightly more efficient primality 

test. 

Corollary 9.18.1. If n is an odd positive integer and if x is a positive integer such that 

x (n-iy/2 = ( mod w) 
and 

x («-!)/? ^ i (modn) 
for all odd prime divisors q of n — 1, then n is prime. 
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Proof. Because x^ 1 = — 1 (mod n), we see that 

x n ~ l = (jc (n “ 1)/2 ) 2 - (- 1) 2 = 1 (mod n). 

Because the hypotheses of Theorem 9.18 are met, we know that n is prime. ■ 

Example 9.23. Let n = 2003. The odd prime divisors of n — 1 = 2002 are 7, 11, 
and 13. Because 5 2002 / 2 = 5 1001 = -1 (mod 2003), 5 2002 / 7 = 5 286 = 874 (mod 2003), 
52002/11 = 5 183 = 886 (mod 2003), and 5 2002 / 13 = 5 154 = 633 (mod 2003), we see from 
Corollary 9.18.1 that 2003 is prime. * 

To determine whether an integer n is prime using either Theorem 9.18 or Corollary 
9.18.1, it is necessary to know the prime factorization of n — 1. As we have remarked 
before, finding the prime factorization of an integer is a time-consuming process. Only 
when we have some a priori information about the factorization of n - 1 are the primality 
tests given by these results practical. Indeed, with such information these tests can be 
useful. Such a situation occurs with the Fermat numbers; in Chapter 11, we give a 
primality test for these numbers based on the ideas of this section. 

In Chapter 3, we discussed the recent discovery of an algorithm that can prove that 
an integer n is prime in polynomial time (in the number of digits in the prime). We can 
prove a weaker result using Corollary 9.18.1, which shows that we can prove that an 
integer is prime in polynomial time once particular information is known. 

Theorem 9.19. If n is prime, this can be proved when sufficient information is available 
using 0 ((log 2 n) 4 ) bit operations. 

Proof. We use the second principle of mathematical induction. The induction hypothe- 
sis is an estimate for fin), where / (n) is the total number of multiplications and modular 
exponentiations needed to verify that the integer n is prime. 

We demonstrate that 


/(n)<3(logn/log2)-2. 


First, we note that /(2) = 1. We assume that for all primes q, with q <n, the 
inequality 


/ iq) < 3(log n/log 2) — 2 


holds. 

To prove that n is prime, we use Corollary 9.18.1. Once we have the numbers 
2 fl , q h ... , q t , and x that supposedly satisfy 

(i) n - 1 = 2 a q l q 1 • • • q t , 

(ii) q t is prime for i = 1 , 2 , . . . , t, 

(iii) jc (m - 1)/2 = — l(modn), 


and 



9.5 Primality Tests Using Orders of Integers and Primitive Roots 381 


(iv) x (n ~ 1)/q j = 1 (mod n), for i = 1, 2, . . . , t, 

we need to do t multiplications to check (i), t + 1 modular exponentiations to check (iii) 
and (iv), and /(<?,-) multiplications and modular exponentiations to check (ii), that q t is 
prime for i = 1, 2, . . . , t. Hence, 

t 

/(n)=f + (( + !) + f(q,) 

1=1 

t 

< 2t + 1 + £((3 log qj log 2) - 2). 

;=i 

Now, each multiplication requires 0((log 2 n) 2 ) bit operations and each modular expo- 
nentiation requires 0((log 2 n) 3 ) bit operations. Because the total number of multiplica- 
tions and modular exponentiations needed is f(n) = O (log 2 n), the total number of bit 
operations needed is O ((log 2 n) (log 2 n) 3 ) = 0((log 2 n) 4 ). ■ 

Another limited converse of Fermat’s little theorem was established by Henry 
Pocklington in 1914. He showed that the primality of n can be established using a partial 
factorization of n — 1. We use the usual notation n — 1 = FR, where F represents the 
part of n — l factored into primes and R the remaining part not factored into primes. 

Theorem 9.20. Pocklington’s Primality Test. Suppose that n is a positive integer 
with n — 1 = FR, where (F, R) = 1 and F > R. The integer n is prime if there exists an 
integer a such that (a^ n ~ l ^ q — 1, h) = 1 whenever q is a prime with q \ F and a n ~ l = 1 
(mod n). 

Proof. Suppose that p is a prime divisor of n with p < yfn. Because a" -1 = 1 (mod n) 
(where a is the integer assumed to have the properties specified in the hypotheses), if 
p | n, we see that a" -1 = 1 (mod p). It follows that ord p a \ n — 1. Consequently, there 
exists an integer t such that n — 1 = t • ord p a. 

Now, suppose that q is a prime with q \ F and that q e is the power of q appearing 
in the prime-power factorization of F. We will show that q / 1. To see this, note that if 
q 1 1, then 

= a ord p a-(t/q) = j (mod p) 

This implies that p\{a^ n ~ Y)lq — 1, n) because p\a^ n ~ Y)lq — land p \ n. This contradicts 
the hypothesis that (a (n_1) ^ — 1, n) = 1. Consequently, q / 1. It follows that q e \ ord p a. 
Because for every prime dividing F the power of this prime in the prime-power factor- 
ization of F divides ord p a, it follows that F | ord p a. Because ord p a \ p — 1, it follows 
that F | p — 1, implying that F < p. 

Because F > R and n — 1 = FR, it follows that n — 1 < F 2 . Because both n — 1 
and F 2 are integers, we have n < F 2 , so p > F > y/n. We can conclude that n is prime. 


The following example illustrates the use of Pocklington’s primality test, where only 
a partial factorization of n — 1 is used to show that n is prime. 
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Example 9.24. We will use Pocklington’s primality test to show that 23801 is prime. 
With n = 23801, we can use the partial factorization of n — 1 = 23800 = FR, where 
F = 200 = 2 3 5 2 and R = 119, so that F > R. Taking a = 3, we find (with the help of 
computation software) that 

3 23800 = 1 (mod 23801) 

3 23800/2 s _! ( m0 d 23801) 

323 800 /s _ 1%72 (mod 23801). 

From this, we find (using the Euclidean algorithm) that ( 3 23800 / 2 — 1 , 
23801) = (-2, 23801) = 1 and ( 3 23800 / 5 - 1, 23801) = (19671, 23801) = 1. This shows 
that n = 23801 is prime, even though we did not use the complete factorization of 
n- 1 = 23800 (namely, 23800 = 2 3 ■ 5 s • 7 ■ 17). ◄ 

We can use Pocklington’s primality test to develop another test, which is useful 
for testing the primality of numbers of special form. This test (which actually predates 
Pocklington’s) was proved by E. Proth in 1878. 

Theorem 9.21. Froth’s Primality Test. Let n be a positive integer with n = k2 m + 1, 
where k is an odd integer and m is an integer with k < 2 m . If there is an integer a such 
that 

a (n-i )/ 2 = ( mod n ), 


then n is prime. 

Proof. Let s = 2 m and t = k, so that s > t by the hypotheses. If 
(9.7) fl (n-l )/2 _ _i ( mo d n ) i 

we can easily show that (a(" _1 )/ 2 — 1, n) = 1. To see this, note that if d | (a(" _1 )/ 2 — 
1) and d \ n, then by (9.7), d | (a^ -1 )/ 2 + 1). It follows that d divides (a(" _1 )/ 2 — 
1) + (fl( n_1 )/ 2 + 1) = 2. Because n is odd, it follows that d = 1. Consequently, all the 
hypotheses of Pocklington’s primality test are satisfied, so n is prime. ■ 

Example 9.25. We will use Proth’s primality test to show that n = 13-2 8 +l = 3329 is 
prime. First, note that 13 < 2 8 = 256. Take a = 3. We find (with the help of computation 
software) that 

3 <n-l )/2 = 33328/2 = 3 I 664 _j (mod 3329 ). 

It follows by Proth’s primality test that 3329 is prime. ◄ 

Proth’s primality test has been used extensively to prove the primality of many large 
numbers of the form k2 m + 1. Two of the ten largest primes currently known have been 
found using Proth’s primality test; the rest are Mersenne primes. For a few years, the 
largest known prime was not a Mersenne prime, but one of the form k2 m + 1. You can 
download PC -based software from the Web for running Proth’ s primality test and look for 
new primes of the form k2 m + 1 yourself! If you find one, you will receive some small 
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amount of fame, but it will not make you as famous as if you found a new Mersenne 
prime. 


9.5 Exercises 


* 


* 


1. Show that 101 is prime using Lucas’s converse of Fermat’s little theorem with x = 2. 

2. Show that 21 1 is prime using Lucas’s converse of Fermat’s little theorem with x = 2. 

3. Show that 233 is prime using Corollary 9.18.1 with x = 3. 

4. Show that 257 is prime using Corollary 9.18.1 with x = 3. 

5. Show that if an integer x exists such that 

x 22 = 1 (mod F n ) 
and 

x* 1 '-** l(modF„), 

then the Fermat number F n = 2 2 + 1 is prime. 

6. Let n be a positive integer. Show that if the prime-power factorization of n — 1 is n — 1 = 
p“ [ p 2 2 ■ ■ ■ Pt \ and for j = 1, 2, . . . , /, there exists an integer Xj such that 

x * l ^ Pj ^ 1 (mod n) 
and 

x n r l = 1 (mod n ), 

then n is prime. 

7. Let n be a positive integer such that 


n - l = m 

j=i 

where m is a positive integer, a x , a 2 , . . . , a r are positive integers, and q x , q 2 , . . . , q r are 
relatively prime integers greater than 1. Furthermore, let b x , b 2 , . . . , b r be positive integers 
such that there exist integers x x , x 2 , . . . , x r with 

xj -1 = 1 (mod n) 

and 

n)= 1 

for j = 1, 2, . . . , r, where every prime factor of qj is greater than or equal to bj for j = 
1,2, ... ,r, and 

j = i 


Show that n is prime. 
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8. Use Pocklington’s primality test to show that 7057 is prime. (Hint: Thke F = 2 4 ■ 3 2 = 144 
and R = 49 in 7057 - 1 = 7056 = FR .) 

9. Use Pocklington’s primality test to show that 9929 is prime. (Hint: Tkke F = 136 = 2 3 • 17 
and R = 73 in 9929 - 1 = 9928 = FR.) 

10. Use Proth’s primality test to show that 449 is prime. 

11. Use Proth’s primality test to show that 3329 is prime. 

* 12. Show that the integer n is prime if n - 1 = FR, where (F, R) = 1, B is an integer with 

FB > -Jh, and R has no prime factors less than B; for each prime q dividing F, there exists 
an integer a such that a" -1 = 1 (modn) and (a ( " _1)/9 — 1, n) = 1; and there exists an integer 
b greater than 1 such that ft” -1 = 1 (mod n) and (b F — 1, n) = 1. 

* 13. Suppose that n = hq k + 1, where q is prime and q k > h. Show that n is prime if there exists 

an integer a such that a" -1 = 1 (mod h) and (a (n-1 ^ 9 — 1, u) = 1. 

* 14. A Sierpinski numberis a positive odd integer k for which the integers 12" + 1, where n is 
„ an integer with n > 1, are all composite. In 1960, Waclaw Sierpidski proved that there are 

infinitely many of these numbers. Show that 78557 is a Sierpinski number. 


WACLAW SIERPINSKI (1882-1969) was bom in Warsaw where his father 
was a prominent doctor. His mathematical talent was spotted by his first high 
school mathematics teacher. In 1900, Sierpinski enrolled in the University of 
Warsaw, winning a gold medal in 1903 for a paper in number theory. In 1904, 
he graduated, even though he purposely failed his Russian language exam to 
protest the Russian dominance of Poland. After graduating, Sierpidski taught 
at a Warsaw girl’s school. When the school went on strike during the 1905 
revolution, he moved to Krakow to pursue graduate studies at Jagiellonian 
University. In 1906, he received his doctorate, and two years late was appointed to a position at 
the University of Lvov. When World War I began, he was interned by the Russians, but prominent 
Russian mathematicians arranged for him to spend the war years working with them in Moscow. In 
1918, Sierpinski returned to Lvov, shortly thereafter accepting a professorship at the University of 
Warsaw. During World War n, Sierpidski continued working in the underground university, while his 
official job was a clerk. After the Warsaw uprising of 1944, the Nazis burned his house, destroying 
his library. After the war, he resumed his position at the University of Warsaw, retiring in 1960. 

Sierpinski was noted for the richness of his ideas and the many questions he posed. He was 
extremely prolific and wrote more than 700 papers and more than 50 books. He made important 
contributions to many different areas of mathematics, including number theory, set theory, the theory 
of functions, and topology. Sierpinski numbers, which are positive odd integers k such that k2 n + 1 
is composite for all integers n > 1, remain an active research topic. Fractals named after him include 
the Sierpinski triangle, the Sierpinski curve, and the Sierpinski carpet. 

Sierpinski was noted for a cheerful disposition and for his exceptionally good health. Fortunately, 
he could work productively under any conditions, including the terrible condition of the Russian 
occupation of Poland, World War I, and World War n. 
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Computations and Explorations 

1. Use Pocklington’s primality test to show that 10,998,989 is prime, with n — 1 = FR, where 
s = 4004, t = 2747, and a = 3. 

2. Use Pocklington’s primality test to show that 111,649,121 is prime. 

3. Use Proth’s primality test to find as many primes of the form 3 • 2" + 1 as you can. 

4. Use Proth’s primality test to find as many primes of the form 5 • 2" + 1 as possible. 

5. It has been conjectured that 78557 is the smallest Sierpinski number (see Exercise 14). (Sier- 
pinski showed in 1960 that there are infinitely many Sierpinski numbers.) The Seventeen or 
B ust distributed computing project (with home page www. seventeenorbust. com ) was founded 
in 2002 with the goal of eliminating seventeen possible counterexamples to this conjecture. 
As of early 2010, the project has eliminated 11 of the 17 original values. Join this project, 
download software from their site, and try to eliminate one of the six remaining integers 
10223, 21811, 22699, 24737, 55459, and 67607. Eliminating k, where k is one of these 
integers, requires that you use their software to find an integer n such that k2 n + 1 is prime.) 

6. Give a succinct certification of primality of F 4 = 2 2 * + 1 = 65537. 

Programming Projects 

Show that a positive integer n is prime using these tests, the following. 

1. Lucas’s converse of Fermat’s little theorem 

2. Corollary 9.18.1 

3. Pocklington’s primality test 

4. Proth’s primality test 


9.6 Universal Exponents 

Let n be a positive integer greater than 1 with prime-power factorization 

" = P 1 P 2 ■■■p%- 

If a is an integer relatively prime to n, then Euler’s theorem tells us that 
a 4>0') = i (mod p‘), 

whenever p f is one of the prime powers occurring in the factorization of n. As in the 
proof of Theorem 9.13, let 

the least common multiple of the integers tp(p *'), i = 1, 2 m. Because 

*(?,'') I V, 
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for i = 1, 2, . . . , m, using Theorem 9.1 we see that 
a u = 1 (mod p ( r ‘)> 

for i = 1, 2, . . . , m. Hence, by Exercise 39 in Section 3.5, it follows that 
a u = 1 (mod n). 

This leads to the following definition. 

Definition. A universal exponent of the positive integer n is a positive integer U such 
that 

a u = 1 (mod n), 

for all integers a relatively prime to n. 

Example 9 . 26 . Because the prime-power factorization of 600 is 2 3 • 3 • 5 2 , it follows 
that U = [0 (2 3 ) , 0(3), 0(5 2 )] = [4, 2, 20] = 20 is a universal exponent of 600. ◄ 

From Euler’s theorem, we know that 0(n) is a universal exponent. As we have al- 
ready demonstrated, the integer U = [(pip^), (pip^), ■ ■ ■ , <P(Pm )] is also a universal 
exponent of n = p^p^ ••• Pm- We are interested in finding the smallest positive univer- 
sal exponent of n. 

Definition. The least universal exponent of the positive integer n is called the minimal 
universal exponent ofn, and is denoted by X(n). 

We now find a formula for the minimal universal exponent X(n), based on the prime- 
power factorization of n. 

First, note that if n has a primitive root, then A(n) =(p{n). Because powers of odd 
primes possess primitive roots, we know that 

X(p t ) = <P(p t ), 

whenever p is an odd prime and t is a positive integer. Similarly, we have A, (2 ) = <p (2) = 1 
and A (4) =<p( 4) = 2, because both 2 and 4 have primitive roots. On the other hand, if 
t > 3, then we know by Theorem 9.1 1 that for every odd integer a, we have 

a 2 * 2 = 1 (mod 2'). 

On the other hand, by Theorem 9.12, we have ord 2 » 5 = 2 t-2 . Hence, we can conclude 
that A(2') = 2'- 2 iff >3. 

We have found A(n) when n is a power of a prime. Next, we turn our attention to 
arbitrary positive integers n. 

Theorem 9 . 22 . Let n be a positive integer with prime-power factorization 

»= 2Vi‘P2 2 -- 
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Then A(n), the minimal universal exponent of n, is given by 
Mn) = [A.(2 f °), 0(pf), ■ • • , 0(pi)]. 

Moreover, there exists an integer a such that ord„a = A .(n), the largest possible order of 
an integer modulo n. 

Proof. Let b be an integer with (b,n) = 1. For convenience, let 
M = [M2 f °), 0(P?), 0(p£), • • • , <Kp£)l 

Because M is divisible by all of the integers A (2 r °) , ^(pj 1 ) = A(pj‘), fiip^) =M/4 2 )’ 

0 (Pm) = A .(Pm), and because b x( - pt) = 1 (mod p v ) for all prime powers in the factoriza- 
tion of n, we see that 

b M = 1 (mod p r ) 

whenever p 1 is a prime power occurring in the factorization of n. 

Consequently, by Corollary 4.8.1 we can conclude that 
b M = 1 (mod n). 

The last congruence established the fact that M is a universal exponent. We must 
now show that M is the least universal exponent. To do this, we find an integer a such 
that no positive power smaller than the Mth power of a is congruent to 1 modulo n . With 
this in mind, let r,- be a primitive root of p/ . 

We consider the system of simultaneous congruences 
x = 5 (mod 2'°) 
x = r\ (mod p J 1 ) 
x = r 2 (mod p^) 

x=r m (mod p%). 

By the Chinese remainder theorem, there is a simultaneous solution a of this system 
that is unique modulo n = 2 f ° p^p^ • • • Pm 5 we will show that ord n a = M. To prove this 
claim, assume that N is a positive integer such that 

a N = 1 (mod n). 

Then, if p 1 is a prime-power divisor of n, we have 
a N = 1 (mod p f ), 

so that 


ord p t a | N. 
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But, because a satisfies each of the m + 1 congruences of the system, we have 
ord p ,a = X(p t ), 

for each prime power in the factorization Hence, by Theorem 9.1, we have 
HP 1 ) I N, 

for all prime powers p‘ in the factorization of n. Therefore, by Corollary 4.8.1, we know 
that M = [M2'°), Hp\ l ), HP ?), • - - , HP%)] I N. 

Because a M = 1 (mod n) and M \ N whenever a N = 1 (mod n), we can conclude 
that the smallest positive integer x for which a x = 1 (mod n) is x = M. Hence, by the 
definition of order modulo n, we have 

orc^a = M. 

This shows that M = X(n) and simultaneously produces a positive integer a with ord n a = 

Hn). • 

Example 9.27. Because the prime-power factorization of 1 80 is 2 2 • 3 2 • 5, from Theo- 
rem 9.22 it follows that 

M18O) = K>(2 2 ),0(3 2 ),0(5)]=12. 

To find an integer a with ord 180 a = 12, first we find primitive roots modulo 3 2 and 5. For 
instance, we take 2 and 3 as primitive roots modulo 3 2 and 5, respectively. Then, using 
the Chinese remainder theorem, we find a solution of the system of congruences 
a = 3 (mod 4) 
a = 2 (mod 9) 
a = 3 (mod 5), 

obtaining a = 83 (mod 180). From the proof of Theorem 9.22, we see that ord 180 83 = 12. 


Example 9.28. Letn = 2 6 -3 2 -5-7- 13- 17- 19-37-73. Then we have 

Hn) = [M2 6 ), 0(3 2 ), 0(5), 0(7), 0(13), 0(17), 0(19), 0(37), 0(73)] 

= [2 4 , 2 • 3, 2 2 , 2 • 3, 2 2 • 3, 2 4 , 2 • 3 2 , 2 2 3 2 , 2 3 3 2 ] 

= 2 4 • 3 2 
= 144. 

Hence, whenever a is a positive integer relatively prime to 2 6 • 3 2 • 5 - 7 • 13 • 17 - 19 • 
37 • 73, we know that a 144 = 1 (mod 2 6 • 3 2 • 5 - 17 - 19 • 37 • 37 -73). ◄ 

Results about Carmichael Numbers We now return to the Carmichael numbers, 
which we discussed in Section 6.2. Recall that a Carmichael number is a composite 
integer that satisfies b n ~ x = 1 (mod n) for all positive integers b with ( b , n) = 1. We 
proved that if n = q x q 2 • • ■ q^, where , qk are distinct primes satisfying (qj — 1) | 

(n — 1) for j = 1, 2, . . . , k, then n is a Carmichael number. Here, we prove the converse 
of this result. 
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Theorem 9.23. If n > 2 is a Carmichael number, then n = q x q 2 • ■ ■ where the q } 
are distinct odd primes such that (qj — 1) | (« — 1) for j = 1,2, ... ,k. 

Proof. If n is a Carmichael number, then 

b n ~ x = 1 (modn), 

for all positive integers b with (b, n ) = 1. Theorem 9.22 tells us that there is an integer a 
with ord n a = X(n), where X(n) is the minimal universal exponent; and because a n ~ 1 = 1 
(mod «), Theorem 9.1 tells us that 


X(n) | (n - 1). 

Now n must be odd, for if n were even, then n — 1 would be odd, but A.(n) is even (because 
n > 2), contradicting the fact that X(n) | (n — 1). 

We now show that n must be the product of distinct primes. Suppose that n has a 
prime-power factor p 1 with t > 2. Then 

HP*) =<l>(p t ) = p*-\p ~ 1) I Hn) =n- 1. 

This implies that p \ (n — 1), which is impossible because p \ n. Consequently, n must 
be the product of distinct odd primes, say, 


n = q x q 2 ■ ■ ■ q k . 

We conclude the proof by noting that 


X(q i )=(Hq i ) = (q j -l)\X(n)=n-l. 


We can easily prove more about the prime factorizations of Carmichael numbers. 

Theorem 9.24. A Carmichael number must have at least three different odd prime 
factors. 

Proof Let n be a Carmichael number. Then n cannot have just one prime factor, because 
it is composite, and is the product of distinct primes. So assume that n = pq, where p 
and q are odd primes with p > q. Then 

n - 1 = pq - 1 = (p - l)q + (q - 1) = q - 1 =£ 0 (mod p - 1), 

which shows that (p — 1) / (n — 1). Hence, n cannot be a Carmichael number if it has 
just two different prime factors. ■ 


9.6 Exercises 

1. Find X(n), the minimal universal exponent of n, for the following values of n. 

a) 100 d) 884 g) 10! 

b) 144 e)2 4 -3 3 -5 2 -7 h) 20! 

c) 222 f) 2 s -3 2 -5 2 -7 3 * 1 1 2 * 13* 17- 19 
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2. Find all positive integers n such that X(n) is equal to each of the following integers. 

a) 1 c) 3 e) 5 

b) 2 d) 4 f ) 6 

3. Find the largest integer n with X(n) = 12. 

4. Find an integer with the largest possible order for the following moduli. 

a) 12 c) 20 e) 40 

b) 15 d) 36 f) 63 

5. Show that if m is a positive integer, then X(m) divides 0 (m). 

6. Show that if m and n are relatively prime positive integers, then X(mn) = [A,(m), X(n)]. 

7. Let n be the largest positive integer satisfying the equation X(n) =a, where a is a fixed 
positive integer. Show that if m is another solution of X(m) = a, then m divides n. 

8. Suppose that n is a positive integer. How many incongruent integers are there with maximal 
order modulo n? 

9. Show that if a and m are relatively prime integers, then the solutions of the congruence ax =b 

(mod m) are the integers x such that x = (mod m). 

10. Show that if c is a positive integer greater than 1, then the integers l c , 2 c , ... ,{m - l) c form 
a complete system of residues modulo m if and only if m is square-free and (c, X(m)) = 1. 

* 11. a) Show that if c and m are positive integers and m is odd, then the congruence x c = x (mod 

m) has exactly 

f](l+(C-l,0(/7^))) 

j= 1 

incongruent solutions, where m has prime-power factorization m = 
b) Show that x c = x (mod m) has exactly 3 r solutions if (c - 1, (p(m)) = 2. 

12. Use Exercise 1 1 to show that there are always at least nine plaintext messages that are not 
changed when encrypted using an RS A cipher. 

* 13. Show that 561 is the only Carmichael number of the form 3 pq, where p and q are primes. 

* 14. Find all Carmichael numbers of the form 5 pq, where pq are primes. 

* 15. Show that there are only a finite number of Carmichael numbers of the form n = pqr, where 

p is a fixed prime and q and r are also primes. 

16. Show that the decrypting exponent d for an RSA cipher with encrypting key (e, n ) can be 
taken to be an inverse of e modulo X(n). 

Let n be a positive integer. When (a, n) = 1, we define the generalized Fermat quotient q n (a ) by 
q n (a) = (a x(n) - l)/n (mod n) and 0 < q n (a) < n. 

17. Show that if (a, n) = ( b , n) = 1, then q n (ab ) = q n (a) + q n (b ) (modn). 

18. Show that if (a, n) = 1, then q n (a + nc ) = q n (a) k (n)ca (mod n), where a is the inverse of a 
modulo n. 
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Computations and Explorations 

1. Find the universal exponent of all integers less than 1000. 

2. Find Carmichael numbers with at least four different prime factors. 

Programming Projects 

1. Find the minimal universal exponent of a positive integer. 

2. Find an integer with the minimal universal exponent of n as its order modulo n. 

3. Given a positive integer M, find all positive integers n with minimal universal exponent equal 
to M. 

4. Solve linear congruences using the method of Exercise 9. 
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H Applications of Primitive Roots 
I U and the Order of an Integer 


I n this chapter, we will introduce applications that rely on the concepts of orders 
and primitive roots. First, we consider the problem of generating random numbers. 
Computers can produce random numbers using data generated by hardware or software, 
but they cannot create long sequences of random numbers this way. To meet the need 
for long sequences of random numbers in computer programs, procedures have been 
developed to generate numbers that pass many statistical tests that numbers selected truly 
at random pass. The numbers that such procedures generate are called pseudorandom 
numbers. We will introduce several techniques to generate pseudorandom numbers based 
on modular arithmetic and the concepts of the order of integers and primitive roots. 

We will also introduce a public key cryptosystem, known as the ElGamal cryp- 
tosystem, defined using the concept of a primitive root of a prime. The security of this 
cryptosystem is based on the difficulty of the problem of finding discrete logarithms 
modulo a prime. We will explain how to encrypt and decrypt messages using ElGamal 
encryption, and how to sign messages in this cryptosystem. 

Finally, we will discuss an application of the concepts of the order of an integer and 
of primitive roots to the splicing of telephone cables. 


10.1 Pseudorandom Numbers 

Numbers chosen at random are useful in many applications. Random numbers are 
needed for computer simulations used to study phenomena in areas such as nuclear 
physics, operations research, and data networking. They can be used to construct random 
samples so that the behavior of a system can be studied when it is impossible to test all 
possible cases. Random numbers are used to test the performance of computer algorithms 
and to run randomized algorithms that make random choices during their execution. 
Random numbers are also extensively used in numerical analysis. For instance, random 
numbers can be used to estimate integrals using Riemann sums, a topic studied in 
calculus. In number theory, random numbers are used in probabilistic primality tests. 
In cryptography, random numbers have many applications, such as in generation of 
cryptokeys and in the execution of cryptographic protocols. 

When we talk about random numbers, we mean the terms of a sequence of numbers 
in which each term is selected by chance without any dependence on the other terms of the 
sequence, and with a specified probability of lying in a particular interval. (It really makes 
no sense to say that a particular number, such as 47, is random, although it can be a term 


393 


394 Applications of Primitive Roots and the Order of an Integer 

of a sequence of random numbers.) Before 1940, scientists requiring random numbers 
produced them by rolling dice, spinning roulette wheels, picking balls out of an urn, 
dealing cards, or taking random digits from tabulated data, such as census reports. In the 
1940s, machines were invented to produce random numbers, and in the 1950s, computers 
were used to generate randomnumbers using random noise generators. However, random 
numbers produced by a mechanical process often became skewed from malfunctions in 
computer hardware. Another important problem was that random numbers generated 
using physical phenomena could not be reproduced to check the results of a computer 
program. 

The idea of generating random numbers using computer programs instead of via 
mechanical method was first proposed in 1946 by John von Neumann. The method he 
suggested, called the middle-square method, works as follows. To generate four-digit 
random numbers, we start with an arbitrary four-digit number, say, 6139. We square this 
number to obtain 37,687,321, and we take the middle four digits, 6873, as the second 
random number. We iterate this procedure to obtain a sequence of random numbers, 
always squaring and removing the middle four digits to obtain a new random number 
from the preceding one. (The square of a four-digit number has eight or fewer digits. 
Those with fewer than eight digits are considered eight-digit numbers by adding initial 
digits of 0.) 

Sequences produced by the middle-square method are, in reality, not randomly 
chosen. When the initial four-digit number is known, the entire sequence is determined. 
However, the sequence of numbers produced appears to be random, and the numbers 
produced are useful for computer simulations. The integers in sequences that have been 
chosen in some methodical manner, but appear to be random, are called pseudorandom 
numbers. 

It turns out that the middle-square method has some unfortunate weaknesses. The 
most undesirable feature of this method is that, for many choices of the initial integer, 
the method produces the same small set of numbers over and over. For instance, starting 
with the four-digit integer 4100 and using the middle-square method, we obtain the 
sequence 8100, 6100, 2100, 4100, 8100, 6100, 2100, .... which only gives four 
different numbers before repealing. 


— JOHN VON NEUMANN (1903-1957) was bom in Budapest, Hungary. In 

1930, after holding several positions at universities in Germany, he came to the 
HL- C f United States. In 1933, von Neumann became, along with Albert Einstein, one 

HI . of the first members of the famous Institute for Advanced Study in Princeton, 

/T ^ New Jersey. Von Neumann was one of the most versatile mathematical talents of 
the twentieth century. He invented the mathematical discipline known as game 
.1 theory; using game theory, he made many important discoveries in mathematical 

** ^ economics. Von Neumann made fundamental contributions to the development 

of the first computers, and participated in the early development of atomic weapons. 
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The Linear Congruential Generation 

The most commonly used method for generating pseudorandom numbers, called the 
linear congruential method, was introduced by D. H. Lehmer in 1949. It works as 
follows: Integers m, a, c, and jc 0 are chosen so that 2<a<m,0<c<m, and 0 < 
x 0 <m. The sequence of pseudorandom numbers is defined recursively by 


x n+ i = ax n + c (mod m), 0 < x n+1 < m, 


for n = 0, 1, 2, 3, ... . We call m the modulus, a the multiplier, c the increment, and jc 0 
the seed of the pseudorandom numbers generator. The following examples illustrate the 
linear congruential method. 

Example 10.1. When we take m = 1 2, a =3, c = 4, and x 0 = 5 in the linear congruen- 
tial generator, we have jc 1 = 3- 5 + 4 = 7 (mod 12), so that x l = 7. Similarly, we find that 
x 2 = 1, because x 2 = 3 • 7 + r = 1 (mod 12), x 3 = 7, because x 3 = 3 • 1 + r = 7 (mod 12), 
and so on. Hence, the generator produces just three different integers before repeating. 
The sequence of pseudorandom numbers obtained is 5, 7, 1, 7, 1, 7, 1, ... . ◄ 

Example 10.2. When we take m = 9, a = 7, c = 4, and x 0 = 3 in the linear congruen- 
tial generator, we obtain the sequence 3, 7, 8, 6, 1,2, 0,4, 5, 3, ... (as should be verified by 
the reader). This sequence contains nine different numbers before repeating. ◄ 

Remark. For computer simulations it is often necessary to generate pseudorandom 
numbers between 0 and 1. We can obtain such numbers by using a linear congruential 
generator to produce pseudorandom numbers x h i = 1, 2, 3, . . . between 0 and m, and 
then dividing each number by m, obtaining the sequence xjm, i = 1, 2, 3, . . . . 

The following theorem tells us how to find the terms of a sequence of pseudorandom 
numbers generated by the linear congruential method directly from the multiplier, the 
increment, and the seed. 

Theorem 10.1. The terms of the sequence generated by the linear congruential method 
previously described are given by 

x k = a k x 0 + c(a k — 1 )/{a — 1) (mod m), 0 <x k <m. 

Proof. We prove this result using mathematical induction. For k = l, the formula is 
obviously true, because jq = ax 0 + c (mod m), 0 < Xi < m. Assume that the formula is 
valid for the &th term, so that 

x k = a k x 0 + c(a k — 1 )/(a — 1) (mod m), 0 < x^ < m. 


Because 


x k+ i = ax k + c (mod m), 0<x^ +1 <m, 
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we have 

x k+1 = a(a k x 0 + c{a k - 1 )/{a - 1)) + c 
= a k+1 x 0 + c(a(a k - 1 )/(a - 1) + 1) 
ee a k+1 x 0 + c(a k+1 - 1 )/{a - 1) (mod m), 

which is the correct formula for the (k + l)st term. This demonstrates that the formula 
is correct for all positive integers k. m 

The period length of a linear congruential pseudorandom number generator is the 
maximum length of the sequence obtained without repetition. We note that the longest 
possible period length for a linear congruential generator is the modulus m . The following 
theorem tells us when this maximum length is obtained. 

Theorem 10.2. The linear congruential generator produces a sequence of period length 
m if and only if (c, m) = 1, a = 1 (mod p) for all primes p dividing m, and a = 1 (mod 4) 
if 4 | m. 

Because the proof of Theorem 10.2 is complicated and quite lengthy, we omit it. 
The reader is referred to [Kn97] for a proof. 

The Pure Multiplicative Congruential Method 

The case of the linear congruential generator with c = 0 is of special interest because of its 
simplicity. In this case, the method is called the pure multiplicative congruential method. 
We specify the modulus m, multiplier a, and seed x 0 . The sequence of pseudorandom 
numbers is defined recursively by 

x n+ i - ax n (mod m), 0 < x n+1 < m. 

In general, we can express the pseudorandom numbers generated in terms of the multi- 
plier and seed: 

x n = a n jc 0 (mod m), 0 < jc m+1 < m. 

If / is the period length of the sequence obtained using this pure multiplicative generator, 
then / is the smallest positive integer such that 

jc 0 ee a l x 0 (mod m). 

If ( x 0 , m) = 1, using Corollary 4.4.1 we have 

a 1 = 1 (mod m). 

From this congruence, we know that the largest possible period length is A(m), where 
A(m) is the minimal universal exponent modulo m. 

For many applications, the pure multiplicative generator is used with the modulus 
m equal to the Mersenne prime M 31 = 2 31 — 1. When the modulus m is a prime, the 
maximum period length is m — 1, and this is obtained when a is a primitive root of m. 
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To find a primitive root of M 31 that can be used with good results, we first demonstrate 
that 7 is a primitive root of M 31 . 

Theorem 10.3. The integer 7 is a primitive root of M 31 = 2 31 — 1. 

Proof. To show that 7 is a primitive root of M 31 = 2 31 — 1, it is sufficient to show that 
7 (M 3 i— 1 )/q J ( mod M 31 ), 

for all prime divisors q of M 31 — 1. With this information, we can conclude that ord = 

M 31 - 1. To find the factorization of M 31 - 1, we note that 

M 31 - 1 = 2 31 - 2 = 2 (2 30 - 1) = 2(2 15 - 1)(2 15 + 1) 

= 2 ( 2 5 - 1 )( 2 10 + 2 5 + 1 )( 2 5 + 1 )( 2 10 - 2 5 + 1 ) 

= 2 - 3 2 - 7* 11-31- 151-331. 

If we show that 

7 (m 3 i- 1)/? ^ j (mod M3i)j 

for q = 2, 3, 7, 11, 31, 151, and 331, then we know that 7 is a primitive root of M 31 = 
2,147,483,647. Because 

7 (M 31 -i)/2 s 2 , 147,483,646 £ 1 (mod M 31 ) 

7 (m 31 — i)/3 _ 1,513,477,735 ^ 1 ( mo d M 31 ) 

7 (a/ 31 -1)/7 s 120,536,285 # 1 (mod M 31 ) 

7 (Af 31 -i)/n s 1,969,212, 174 ^ 1 (mod M 31 ) 

7 (M 31 -i)/3i s 512 ^ 1 (mod M 31 ) 

7 (M 31 -i)/i5i ^ 535,044, 134 ^ 1 (mod M 31 ) 

7 (M 31 -i)/33i s 1,761,885,083 # 1 (mod M 31 ), 
we see that 7 is a primitive root of M 31 . ■ 

In practice, we do not want to use the primitive root 7 as the generator, because 
the first few integers generated are small. Instead, we find a larger primitive root using 
Corollary 9.4.1. Weuse7 fe , where (fc, M 31 - 1) = 1. For instance, because (5, M 31 - 1) = 
1, we know that 7 5 = 16,807 is a primitive root. Because (13, M 31 - 1) = 1, another 
possibility is to use 7 13 = 252,246,292 (mod M 31 ) as the multiplier. 

The Square Pseudorandom Number Generator 

Another example of a pseudorandom number generator is the square pseudorandom 
number generator. Given a positive integer n (the modulus ) and an initial term x 0 
(the seed), this generator produces a sequence of pseudorandom numbers using the 
congruence 

x i+ i = xf (mod n), 0 < x i+1 < n. 
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From this definition, we can easily see that 

jCj- = Xq (mod n), 0 <x t < n. 

Example 10.3. Let n = 209 be the modulus and jc 0 = 6 the seed of the square pseudo- 
random number generator. The sequence produced by this generator is 

6, 36, 42, 92, 104, 157, 196, 169, 137, 168, 9, 81, 82, 36, 42, ... . 

We see that this sequence has a period of length 12. The first term is not part of the period. 

◄ 

We can determine the length of the period of a square pseudorandom number 
generator using the concept of order modulo n, as the following theorem shows. 

Theorem 10.4. The length of the period of the square pseudorandom number with 
seed jc 0 and modulus n is ord^.2, where the integer s is the odd positive integer such that 
ord„jc 0 = 2 t s, where t is a nonnegative integer. 

Proof. We will show that ord^2 divides i, the length of the period of this generator. 
Suppose that Xj = Xj +i for some integer j. Then 

Xq = Xq +1 (mod »), 

which implies that 

x q +IV = 1 (mod n). 

Using the definition of the order of an integer modulo n, we see that 

ord.-to I <2 J+l ~ 2'), 

or, equivalently, that 

(10.1) 2 j+i = 2 j (mod 2 { s). 

Because 2 l \ {V +i - V) and V +l - V = V(2 l - 1), we see that j > t. By congruence 
(10.1) and Theorem 4.4, it follows that 

2 j+l ~ t = 2 j ~ t (mod s ). 

Using Theorem 9.2, we see that j + 1 — t = j — t (mod ord 2 5). Hence, l = 0 (mod 
ord 2 5'), which means that ord 2 5 divides t, the period length. 

We will now show that the period L divides ord^.2. To show that ord^2 is a multiple 
of l, we need only show that there are two terms Xj and Xj = x k such that j = k (mod 
ord^.2). To accomplish this, we suppose that j = k (mod ord^.2) and that k > j > t. By 
Theorem 9.2, we see that 

2 y — 2 k (mod s). 

Furthermore, we have 

2* = 2 j (mod 2‘), 
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because 2 k - 2 j = 2 j (2 k 1 — 1) and j > t. By Corollary 4.8.1 and the fact that (2 f , s) = 
1, we can conclude that 

2 j = 2 k (mod 2*s). 

Because ord„jc 0 = 2*s, we know that 

ord„* 0 I (2‘ - 2 i), 

which means that 

x 2k ~ 2 1 — 1 (mod n), 


which in turn tells us that 

x 2k — x 2J (mod n). 

This implies that x k = Xj. We conclude that ord ? 2 must be a multiple of i, completing 
the proof. ■ 

Example 10.4. In Example 10.3, we used the modulus n = 209 and the seed x 0 = 6 
in the square pseudorandom generator. We note that ord 2 Q96 = 90 (as the reader should 
verify). Because 90 = 2 • 45, Theorem 10.4 tells us that the period length of this generator 
is ord 45 2 = 12 (as the reader should verify). This is the length we observed when we listed 
the terms generated. ◄ 

How can we tell whether the terms of a sequence of pseudorandom numbers are 
useful for computer simulations and other applications? One method is to see whether 
these numbers pass statistical tests designed to determine whether a sequence has par- 
ticular characteristics that a truly random sequence would most likely have. A battery of 
such tests can be used to evaluate pseudorandom number generators. For example, the 
frequencies of numbers can be tested, as can the frequencies of pairs of numbers. The 
frequencies of the appearance of subsequences can be checked, as can the frequency of 
mns of the same number of various lengths. An autocorrelation test that checks whether 
there are correlations of the sequence and shifted versions of it may also be helpful. 
These and other tests are discussed in [Kn97] and [MevaVa97]. 

For cryptographic applications, pseudorandom number generators must not be pre- 
dictable. For example, a linear congruential pseudorandom number generator cannot be 
used for cryptographic applications, because, in sequences generated this way, knowl- 
edge of several consecutive terms can be used to find other terms. Instead, cryptograph- 
ically secure pseudorandom number generators must be used. These produce sequences 
such that the terms of the sequence are unpredictable to an adversary with limited compu- 
tational resources. These notions are made more precise in [MevaVa97], and in [La90]. 

We have only briefly touched upon the subject of pseudorandom numbers. For 
a thorough discussion of pseudorandom numbers, see [Kn97], and for a survey of 
the relationships between pseudorandom number generators and cryptography, see the 
chapter by Lagarias in [Po90]. 
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10.1 Exercises 

1. Find the sequence of two-digit pseudorandom numbers generated using the middle-square 
method, taking 69 as the seed. 

2. Find the first ten terms of the sequence of pseudorandom numbers generated by the linear 
congruential method with x 0 = 6 and x n+1 = 5x n + 2 (mod 19). What is the period length of 
this generator? 

3. Find the period length of the sequence of pseudorandom numbers generated by the linear 
congruential method with x 0 = 2 and x n+1 = 4x n + 7 (mod 25). 

4. Show that if either a = 0 or a = 1 is used for the multiplier in the linear congruential method, 
the result would not be a good choice for a sequence of pseudorandom numbers. 

5. Using Theorem 10.2, find those integers a that give period length m, where (c, m) = 1, for 

the linear congruential generator x n+1 = ax n + c (mod m), for each of the following moduli, 
a ) m = 1000 b )m = 30030 c ) m = 10 6 - 1 d ) m = 2 25 - 1 

* 6. Show that every linear congruential pseudorandom number generator can be simply expressed 

in terms of a linear congruential generator with increment c = 1 and seed 0, by showing that 
the terms generated by the linear congruential generator x n+l = ax n + c (mod m), with seed 
x 0 , can be expressed as x n = b • y n + x 0 (mod m), where b = (a — l)x 0 + c (mod m), y 0 = 0, 
and y n+1 = ay n + 1 (mod m). 

7. Find the period length of the pure multiplicative pseudorandom number generator x n = cx n _ { 
(mod 2 31 - 1) for each of the following multipliers c. 

a) 2 c) 4 e) 13 

b) 3 d) 5 f) 17 

8. Show that the maximal possible period length for a pure multiplicative generator of the form 
x n+i = ax n (mod 2 e ), e > 3, is 2 e ~ 2 . Show that this is obtained when a = ± 3 (mod 8). 

9. Find the sequence of numbers generated by the square pseudorandom number generator with 
modulus 77 and seed 8. 

10. Find the sequence of numbers generated by the square pseudorandom number generator with 
modulus 1001 and seed 5. 

11. Use Theorem 10.4 to find the period length of the pseudorandom sequence in Exercise 9. 

12. Use Theorem 10.4 to find the period length of the pseudorandom sequence in Exercise 10. 

13. Show that longest possible period of any sequence of pseudorandom numbers generated by 
the square pseudorandom number generator with modulus 77, regardless of the seed chosen, 
is 4. 

14. What is the longest possible period of any sequence of pseudorandom numbers generated by 
the square pseudorandom number generator with modulus 989, regardless of the seed chosen? 

Another way to generate pseudorandom numbers is to use the Fibonacci generator. Let mbea 

positive integer. Two initial integers x 0 and x h both less than m, are specified, and the rest of the 

sequence is generated recursively by the congruence x n+1 = x n + x n _ x (mod m), 0 < x n+1 < m. 

15. Find the first eight pseudorandom numbers generated by the Fibonacci generator with mod- 
ulus m = 31 and initial values x 0 = 1 and x x = 24. 
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16. Find a good choice for the multiplier a in the pure multiplicative pseudorandom number 
generator x n+x = ax n (mod 101). (Hint: Find a primitive root of 101 that is not too small.) 

17. Find a good choice for the multiplier a in the pure multiplicative pseudorandom number 
generator x n = ax n _ x (mod 2 25 - 1). (Hint: Find a primitive root of 2 25 - 1 and then take an 
appropriate power of this root.) 

18. Find the multiplier a and increment c of the linear congruential pseudorandom number 
generator x n+x = ax n + c (mod 1003), 0 < x n+x < 1003, if x 0 = 1 , x 2 = 402, and x 3 = 361. 

19. Find the multiplier a of the pure multiplicative pseudorandom number generator x n+x = ax n 
(mod 1000), 0 < x n+l < 1000, if 313 and 145 are consecutive terms generated. 

20. The discrete exponential generator takes a positive integer x 0 as its seed and generates 
pseudorandom numbers x x , x 2 , x 3 , . . . using the recursive definition x n+1 = g Xn (mod p), 
0 < x n+x < p, for n = 0, 1, 2, ... , where p is an odd prime and g is a primitive root 
modulo p. 

a) Find the sequence of pseudorandom numbers generated by the discrete exponential gen- 
erator with p = 17, g = 3, and x 0 = 2. 

b) Find the sequence of pseudorandom numbers generated by the discrete exponential gen- 
erator with p = 47, g = 5, and x 0 = 3. 

c) Given a term of a sequence of pseudorandom numbers generated by using a discrete 
exponential generator, can the previous term be found easily when the prime p and 
primitive root g are known? 

21. Another method of generating pseudorandom numbers is to use the power generator with 
parameters m, d. Here, m is a positive integer and d is a positive integer relatively prime to 
<p(m). The generator starts with a positive integer x 0 as its seed and generates pseudorandom 
numbers jq, x 2 , x 3 , . . . using the recursive definition x n+x = x£ (mod m), 0 < x n+l < m. 

a) Find the sequence of pseudorandom numbers generated by a power generator with m = 
15, d = 3, and seed x 0 = 2. 

b) Find the sequence of pseudorandom numbers generated by a power generator with m = 
23, d = 3, and seed x 0 = 3. 


Computations and Explorations 

1. Examine the behavior of the sequence of five-digit pseudorandom numbers produced by the 
middle-square method, starting with different choices of the initial term. 

2. Find the period length of different linear congruential pseudorandom generators of your 
choice. 

3. How long is the period of the linear congruential pseudorandom number generator with 
a = 65,539, c = 0, and m = 2 31 ? 


4. How long is the period of the linear congruential pseudorandom number generator with 
a = 69,069, c = 1 , and m = 2 32 ? 

5. Find a seed that produces the longest possible period length for the square pseudorandom 
number generator with modulus 2867. 

6. Show that the square pseudorandom number generator with modulus 9,992,503 and seed 564 
has a period length of 924. 
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7. Find the period length of different quadratic congruential pseudorandom number generators, 
that is, generators of the form x n+l = (ax^ + bx n + c ) (mod m), 0 < x n+l < m, where a, b, 
and c are integers. Can you find conditions that guarantee that the period of this generator 
ism? 

8. Determine the length of the period of the Fibonacci generator described in the preamble to 
Exercise 15 for various choices of the modulus m. Do you think this is a good generator of 
pseudorandom numbers? 

9. There are a variety of empirical tests to measure the randomness of pseudorandom number 
generators. Ten such tests are described in Knuth [Kn97]. Look up these tests and apply some 
of them to different pseudorandom number generators. 

Programming Projects 

1. The middle-square generator 

2. The linear congruential generator 

3. The pure multiplicative generator 

4. The square generator 

5. The Fibonacci generator (see the preamble to Exercise 15) 

6. The discrete exponential generator (see Exercise 20) 

7. The power generator (see Exercise 21) 


10.2 The EIGamal Cryptosystem 

In Chapter 8, we introduced the RSA public key cryptosystem. The security of the RSA 
cryptosystem is based on the difficulty of factoring integers. In this section, we introduce 
another public key cryptosystem known as the EIGamal cryptosystem, invented by 
T. EIGamal in 1985. Its security is based on the difficulty of finding discrete logarithms 
modulo a large prime. (Recall that if p is a prime and r is a primitive root of p, the 
discrete logarithm of an integer a is the exponent jc for which r x = a (mod p).) 

In the EIGamal cryptosystem, each person selects a prime p, a primitive root r of 
p, and an integer a with 0 < a < p — 1, This exponent is the private key, that is, it is the 
information kept secret by that person. The corresponding public key is (p, r, b), where 
b is the integer with 

b = r a (mod p), 0 < a < p — 1. 

In the following example, we illustrate how keys for the EIGamal cryptosystem are 
selected. 

Example 10.5. To generate a public and private key for the EIGamal cryptosystem, we 
first select a prime p. Here we will take p = 2539. (This four-digit prime is selected to 
illustrate how the cryptosystem works; in practice, a prime with several hundred digits 
should be used.) Next, we need a primitive root of this prime p. We select the primitive 
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root r = 2 of 2539 (as the reader should verify). Next, we choose an integer a with 
0 < a < 2538. We choose a = 14. This exponent a is the private key. The corresponding 
public key is the triple ( p , r, b) = (2539, 2, 1 150), because b = 2 14 = 1 150 (mod 2539). 


Before we encrypt a message using the ElGamal cryptosystem, we will translate 
letters into their numerical equivalents and then form blocks of the largest possible size 
(with an even number of digits), as we did when we encrypted messages in Section 8.4 
using the RSA cryptosystem. (This is just one of many ways to translate messages made 
up of characters into integers.) To encrypt a message to be sent to the person with public 
key ( p , r, b ), we first select a random number k with 1 < k < p — 2. For each plaintext 
block P, we compute the integers y and 3 with 

y =r k (mod p ), 0 < y < p — 1 


8 = P b k (mod p), 0 < 8 < p - 1. 

The ciphertext corresponding to the plaintext block P is the ordered pair E(P) = (y, 8). 
The plaintext message P has been hidden by multiplying it by b k to produce 3. This 
hidden message is transmitted together with y . Only the person with the secret key a 
can compute b k and y , and use this to recover the original message. 

When messages are encrypted using the ElGamal cryptosystem, the ciphertext 
corresponding to a plaintext block is twice as long as the original plaintext block. We say 
that this encryption method has a message expansion factor of 2. The random number k 
is included in the encryption procedure to increase security in several ways that we will 
describe later in this section. 

Decrypting a message encrypted using ElGamal encryption depends on knowledge 
of a, the private key. The first step of the decryption of a ciphertext pair (y, 5) is to 
compute y a . This is done by computing yP~ l ~ a modulo p. Then, the pair C = (y, 5) is 
decrypted by computing 

D{C) = r8. 

To see that this recovers the plaintext message, note that 
D(C) — y a 8 (mod p) 

— r ka ■ Pb k (mod p) 

— (r a ) k Pb k (mod p) 

— b k Pb k (mod p) 

— b k b k P (mod p) 

— P (mod p). 

Example 10.6 illustrates encryption and decryption using the ElGamal cryptosystem. 
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Example 10.6. We will encrypt the message 

PUBLIC KEY CRYPTOGRAPHY 

using the ElGamal cryptosystem with the public key we constructed in Example 10. 
In Example 8.16, we encrypted this same message using the RSA cryptosystem. We 
translated the letters into their numerical equivalents and then grouped numbers into 
blocks of four decimal digits. We can use this same grouping here because the largest 
possible block is 2525. The blocks we obtained were 

1520 0111 0802 1004 
2402 1724 1519 1406 
1700 1507 2423, 

where the dummy letter X is translated into 23 at the end of the passage to fill out the 
final block. ◄ 

To encrypt these blocks, we first select a random number k with l<k< 2537 (we 
will use the same k for each block here; in practice, a different number k is chosen 
for each block to ensure a higher level of security). Picking k = 1443, we encrypt each 
plaintext block P in a ciphertext block, using the relationship E(C) = (y, 8), with 

y = 2 1443 = 2141 (mod 2539) 


and 


8 = PI 150 1443 (mod 2539), 0 <8 < 2538. 

For example, the first block is encrypted to (2141, 216), because 
y =2 1443 = 2141 (mod 2539) 


and 


8 = 1520 • 1 150 1443 = 216 (mod 2539). 

When we encrypt each block, we obtain the following ciphertext message: 

(2141,0216) (2141, 1312) (2141, 1771) (2141, 1185) 
(2141, 2132) (2141, 1177) (2141, 1938) (2141, 2231) 
(2141, 1177) (2141, 1938) (2141, 1694). 

To decrypt a ciphertext block, we compute 

D(C) = y^8( mod 2539). 


For example, to decrypt the second ciphertext block (2141, 1312), we compute 
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D((2141, 1312)) = 2141 14 - 1312 
= 1430- 1312 
= 2452-1312 
= 111 (mod 2539). 

We have used the fact that 2452 is an inverse of 1430 modulo 2539. This inverse can 
be found using the extended Euclidean algorithm, as the reader should verify. (We have 
also used the fact that 2141 14 = 1430 (mod 2539).) 

As mentioned, the security of the ElGamal cryptosystem is based on the difficulty 
of determining the private key a from the public key (p, r, b), an instance of the 
discrete logarithm problem, a computationally difficult problem described in Section 9.4. 
Breaking the ElGamal encryption method requires the recovery of a message P given 
the public key ( p , r, b ) together with the encrypted message (y, <5) without knowledge 
of the private key a. Although there may be another way to do this other than solving a 
discrete logarithm problem, it is widely thought that this is a computationally difficult 
problem. 


Signing Messages in the ElGamal Cryptosystem 

We will describe a procedure invented by T. ElGamal in 1985 for signing messages using 
the ElGamal cryptosystem. Suppose that a person’s public key is (p, r, b ) and his private 
key is a, so that b = r a (mod p). To sign a message P, the person with private key a 
does the following: First, he selects an integer k with ( k , p — 1) = 1. Next, he computes 
y, where 


y =r k (mod p), 0 < y < p — 1 


and 


s = (P — ay)k (mod p — 1), 0 < s < p — 2. 

The signature on the message P is the pair (y , s). Note that this signature depends on the 
value of the random integer k and can only be computed with knowledge of the private 
key a. 

To see that this is a valid signature scheme, note that we know the public key ( p,r,b ) , 
hence we can verify that the message came from the person who supposedly sent it. To 
do this, we compute 


Vi = Y s b y (mod p), 0 < V x < p - 1 


V 2 = r p (mod p), 0 < V 2 < p - 1. 


For this signature to be valid, we must have V\ = V 2 . If the signature is valid, then 
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Vi = y s b Y (mod p ) 

= y( p ~ ay ^b y (mod p ) 

— (y*) p ~ ay b y (mod p) 

= r^ p ~ ay ^b y (mod p) 

= r p r ay b Y (mod p) 

= r p bYb Y (mod p) 

= r p (mod p) 

= V 2 - 

A different integer k should be chosen to sign each message in the ElGamal signature 
scheme. If the same integer k is chosen for two signatures, it can be found from these 
signatures, making it possible to find the private key a (see Exercise 8). Another concern 
is whether someone could forge a signature on a message P by selecting an integer k 
and computing y = r k (mod p) using the public key (p ,r,b ) . To complete the signature, 
this person also would have to compute s = (P — ay)k (mod p — 1). She cannot easily 
find a, because computing a from b requires that a discrete logarithm be found, namely, 
the discrete logarithm of b with respect to r modulo p. Not knowing a, a person could 
select a value of s at random. The probability that this would work is only 1/p, which is 
close to zero when p is large. 

Example 10.7 illustrates how a message is signed using the ElGamal signature 
scheme. 

Example 10.7. Suppose that a person has a public ElGamal key of ( p , r, b ) = 
(2539, 2, 1150) with corresponding private ElGamal key a = 14. To sign the plain- 
text message P = 111, they first choose the integer k — 457, selected at random with 
1 < k < 2538 and ( k , 2538) = 1. Note that 457 = 2227 (mod 2538). < 

The signature of this plaintext message 1 1 1 is found by computing 
y = 2 457 = 1079 (mod 2539) 
and 


s= (111-14- 1079) • 2227 = 1139 (mod 2538). 

Anyone who has this signature (1079, 1139) and the message 111 can verify that the 
signature is valid by computing 

1150 1079 1079 1139 = 1158 (mod 2539) 
and 

2 111 = 1158 (mod 2539). 


The ElGamal signature scheme has been modified to create another signature 
scheme that is widely used, known as the Digital Signature Algorithm (DSA). The DSA 
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was incorporated in 1994 as a U.S. government standard, Federal Information Process- 
ing Standard (FIPS) 186, commonly known as the Digital Signature Standard. To learn 
how the ElGamal signature scheme was modified to produce the DSA, consult [St05] 
and [MevaVa97]. 


.2 Exercises 

1. Encrypt the message HAPPY BIRTHDAY using the ElGamal cryptosystem with the public 
key (p, r, b ) = (2551, 6, 33). Show how the resulting ciphertext can be decrypted using the 
private key a = 13. 

2. Encrypt the message DO NOT PASS GO using the ElGamal cryptosystem with the public 
key (2591, 7, 591). Show how the resulting ciphertext can be decrypted using the private key 
a = 99. 

3. Decrypt the message (2161, 660), (2161, 1284), (2161, 1467) encrypted using the ElGamal 
cryptosystem with public key (2713, 5, 193) corresponding to the private key 17. 

4. Decrypt the message (1061, 2185), (1061, 733), (1061, 1096) encrypted using the ElGamal 
cryptosystem with public key (2677, 2, 1410) corresponding to the private key 133. 

5. Find the signature produced by the ElGamal signature scheme for the plaintext message 
P = 823 with public key ( p , r, b) = (2657, 3, 801), private key a = 211, and where the integer 
k = 101 is selected to construct the signature. Show how this signature is verified. 

6. Find the signature produced by the ElGamal signature scheme for the plaintext message 
P = 2525 with public key (p, r, b ) = (2543, 5, 1615), private key a = 99, and where the 
integer k = 257 is selected to construct the signature. Show how this signature is verified. 

7. Show that if the same random number k is used to encrypt two plaintext messages P l and P 2 
using ElGamal encryption, then P 2 can be found once the plaintext message P x is known. 

8. Show that if the same integer k is used to sign two different messages using the ElGamal 
signature scheme, producing signatures (y h s x ) and (y 2 , s 2 ), the integer k can be found from 
these signatures as long as Sj ^ s 2 (mod p — 1). Show that once k has been found, the private 
key a is easily found. 

Computations and Explorations 

1. Construct a private key, public key pair for the ElGamal cryptosystem for each member of 
your class. Put together a directory of the public keys. 

2. For each member of your class, encrypt a message using the ElGamal cryptosystem using 
the public keys published in the directory. 

3. Decrypt the messages sent to you by your classmates that were encrypted using your ElGamal 
public key. 

Programming Projects 

1. Encrypt messages using an ElGamal cryptosystem. 

2. Decrypt messages that were encrypted using an ElGamal cryptosystem. 

3. Sign messages using the ElGamal cryptosystem. 
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1 0.3 An Application to the Splicing of Telephone Cables 

An interesting application of the preceding material involves the splicing of telephone 
cables. We base our discussion on the explosion in [Or88], relating the contents of an 
original article by Lawther [La35], reporting on work done for the Southwestern Bell 
Telephone Company. 

To develop the application, we first make the following definition. 

Definition. Let m be a positive integer and let a be an integer relatively prime to m. 
The ±1 -exponent of a modulo m is the smallest positive integer x such that 

a x = ±1 (mod m). 

We are interested in determining the largest possible ± 1-exponent of an integer 
modulo m; we denote this by A. 0 (m). The following two theorems relate the value of the 
maximal ± 1-exponent X Q (m) to X(m), the minimal universal exponent modulo m. 

First, we consider positive integers that possess primitive roots. 

Theorem 10.5. If m is a positive integer, m > 2, with a primitive root, then the maximal 
±l-exponent X 0 (m) equals 0(m)/2 = X{m)/2. 

Proof. We first note that if m has a primitive root, then X(m) = 0(m). By Theorem 7.6, 
we know that (p(m) is even, so that (p(m) /2 is an integer, if m > 2. Euler’s theorem tells 
us that 


a<P(.m) _ 2)2 _ j ( mod m)> 

for all integers a with (a, m ) = 1. By Exercise 13 of Section 9.3, we know that when m 
has a primitive root, the only solutions of x 2 = 1 (mod m) are x = ±1 (mod m). Hence, 

a 0W/2_ ±1(modm) 


This implies that 


* o( m ) < 000/2. 

Now, let r be a primitive root of modulo m with ± 1-exponent e. Then 
r e = ±1 (mod m), 


so that 


r 2e = 1 (mod m). 

Because ord m r = 0(m), Theorem 9.1 tells us that 0(m) | 2e, or, equivalently, that 
(0(m)/2) | e. Hence, the maximum ± 1-exponent A 0 (m) is at least 0(m)/2. However, 
we know that X(m) < 0(m)/2. Consequently, X 0 (m) = 0(m)/2 = X(m)/2. m 


We now will find the maximal ± 1-exponent of integers without primitive roots. 
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Theorem 10.6. If m is a positive integer without a primitive root, then the maximal 
± 1-exponent X 0 (m) equals X(m), the minimal universal exponent of m. 

Proof. We first show that if a is an integer of order X(m) modulo m with ± 1-exponent 
e such that 


a Km)/2 ^ _i ( mod m ), 

then e = X(m). Consequently, once we have found such an integer a, we will have shown 
that X o(m) = X ,(m). 

Assume that a is an integer of order X(m) modulo m with ± 1-exponent e such that 
a Km )/2 _i ( mo d m). 

Because a e = ±1 (mod m), it follows that a 2e — 1 (mod m). By Theorem 9.1, we know 
that X(m) | 2e. Because X(m) \ 2e and e < X(m), either e = X(m)/2 or e = X(m). To 
see that e ^ X(m)/2, note that a e = ±1 (mod m ), but a x(m ^ 2 ^ 1 (mod m), because 
ord m a = X(m), and a X(m ^ 2 ^ — 1 (mod m), by hypothesis. Therefore, we can conclude 
that if ord m a = X(m), a has ± 1-exponent e, and a e = — 1 (mod m), then e = X(m). 

We now find an integer a with the desired properties. Let the prime-power factor- 
ization of m be m = 2 to p^p2 • • • p[ s . We consider several cases. 

We first consider those m with at least two different odd prime factors. Among the 
prime powers p ( ‘ dividing m, let pj be one with the smallest power of 2 dividing 0 (pj). 
Let r,- be a primitive root of p- for i = 1, 2, . . . , s. Let a be an integer satisfying the 
simultaneous congruences 

a = 3 (mod 2 r °), 

a = r, (mod p*j) for all i with i ^ j, 
a = r 2 (mod pj). 

Such an integer a is guaranteed to exist by the Chinese remainder theorem. Note that 
ord m a = [A (2 r °), 0(pj 2 ), . . . , <t>(pj)/ 2, ... , (pip 1 ;)], 
and, by our choice of pj , we know that this least common multiple equals X(m). 

Because a = rj (mod pj), it follows that o^ p i = r^ Pj ^ = 1 (mod pj). Because 
<p(pj)/2 | X(m)/2, we know that 

a Hm)/2 = j (mod p b) } 

so that 

a X(rn)/2^_ 1(modm) 

Consequently, the ± 1-exponent of a is X(m). 
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The next case that we consider deals with integers of the form m = 2 <0 p tl , where p 
is an odd prime, t\ > 1 and t Q > 2, because m has no primitive roots. When t 0 = 2 or 3, 
we have 

X(m) = [2,0O>' 1 ')] = ^(p' 1 ‘). 

Let a be a solution of the simultaneous congruences 
<2 = 1 (mod 4) 
a = r (mod p\ l ), 

where r is a primitive root of (p\ l ). We see that ord w a = X(m). Because 
a kim)/2 = 1 (mod 4), 

we know that 

Consequently, the ± 1-exponent of a is X(m). 

When t 0 < 4, let <2 be a solution of the simultaneous congruences 
<2 = 3 (mod 2 <0 ) 
a = r (mod p\ l )\ 

the Chinese remainder theorem tells us that such an integer exists. We see that ord w <2 = 
X(m). Because 4 | X(2 tQ ), we know that 4 | X(m). Hence, 

a k(m)/2 = 3 x(w)/2 = (3 2 ) /(w)/4 = 1 (mod 8). 

Thus, 

a^ m)/2 m), 

so that the ± 1-exponent of a is X(m). 

Finally, when m = 2 <0 with t Q > 3, we know from Theorem 9. 12 that ord w 5 = X(m) , 
but 

5 X(m)/2 _ ( 5 2^(m)/4 _ j (mod 

Therefore, we see that 

5 k(m)/2 ^ --L (mod m); 

we conclude that the ± 1-exponent of 5 is X(m). 

This finishes the argument, because we have dealt with all cases where m does not 
have a primitive root. ■ 

We now develop a system for splicing telephone cables. Telephone cables are made 
up of concentric layers of insulated copper wire, as illustrated in Figure 10.1, and are 
produced in sections of specified length. 
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Figure 10.1 A cross-section of one layer of a telephone cable. 

Telephone lines are constructed by splicing together sections of cable. When two 
wires are adjacent in the same layer in multiple sections of the cable, there are often 
problems with interference and crosstalk. Consequently, two wires adjacent in the same 
layer in one section should not be adjacent in the same layer in any nearby sections. For 
practical purposes, the splicing system should be simple. We use the following rules to 
describe the system: Wires in concentric layers are spliced to wires in the corresponding 
layers of the next section, following the identical splicing direction at each connection. In 
a layer with m wires, we connect the wire in position j in one section, where l < j <m, 
to the wire in position S(j) in the next section, where S(j ) is the least positive residue 
of 1 + ( j — 1)5 modulo m. Here, s is called the spread of the splicing system. We see 
that when a wire in one section is spliced to a wire in the next section, the adjacent wire 
in the first section is spliced to the wire in the next section in the position obtained by 
counting forward s modulo m from the position of the last wire spliced in this section. To 
have a one-to-one correspondence between wires of adjacent sections, we require that 
the spread s be relatively prime to the number of wires m. This shows that if wires in 
positions j and k are sent to the same wire in the next section, then S(j) = S(k) and 

1 + (J — 1)5 = 1 + (k — 1)5 (mod m), 

so that j s = ks (mod m). Because (m, s) = 1, from Corollary 4.4.1 we see that j = k 
(mod m), which is impossible. 


Example 10.8. Let us connect nine wires with a spread of 2. We have the correspon- 
dence 


l-> 1 2 -> 3 

4 -»• 7 5-^9 

7^4 8-^6 


◄ 


as illustrated in Figure 10.2. 


3^5 

6^2 

9 ^ 8 , 


41 2 Applications of Primitive Roots and the Order of an Integer 



Figure 10.2 Splicing of nine wires with a spread of 2. 

The following result tells us the correspondence of wires in the first section of cable 
to the wires in the nth section. 

Theorem 10.7. Let S n (j) denote the position of the wire in the nth section spliced to 
the jth wire of the first section. Then 

S n (j ) = 1 + O' - l)5 n_1 (mod m). 

Proof. For n = 2, by the rules for the splicing system, we have 
S 2 0) = 1 + 0 - (mod m), 
so the proposition is true for n = 2. Now assume that 

S n (J) = 1 + 0 - 1> W_1 (mod m). 

Then, in the next section, we have the wire in position S n (j) spliced to the wire in 
position. 

S n +lU)=l+(S n U)-l)s 

= i+ (O' - ly 1-1 )* 

= 1 + (J — l)s n (mod m). 

This shows that the proposition is true. ■ 

In the splicing system, we want to have wires adjacent in one section separated as 
long as possible in the following sections. Theorem 10.7 tells us that after n splices, 
the adjacent wires in the jth and (j + l)th positions are connected to wires in positions 
S n (J) = 1 + (J — l)5 n (mod m) and S n (j + 1) = 1 + js n (mod m), respectively. These 
wires are adjacent in the nth section if, and only if, 

S n (j) ~ S n (j + 1) = ±1 (mod m), 


or, equivalently, 

(1 + O' - l)s n ) - (1 + js n ) = ±1 (mod m), 
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which holds if and only if 

s n = ±1 (mod m). 

We can now apply the material at the beginning of this section. To keep wires that 
are adjacent in the first section separated as long as possible thereafter, we should pick 
for the spread s an integer with maximal ± 1-exponent A 0 (m). 

Example 10.9. With 100 wires, we should choose a spread s so that the ± 1-exponent 
of s is A. 0 (l 00) = A. (100) = 20. The appropriate computations show that s = 3 is such a 
spread. ◄ 


.3 Exercises 

1. Find the maximal ± 1-exponent of each of the following positive integers. 

a) 17 c) 24 e) 99 

b) 22 d) 36 f ) 100 

2. Find an integer with maximal ± 1-exponent modulo each of the following positive integers. 

a) 13 c) 15 e) 36 

b) 14 d) 25 f ) 60 

3. Devise a splicing scheme for telephone cables containing each of the following number of 
wires. 

a) 50 wires b) 76 wires c) 125 wires 

4. Show that using any splicing system of telephone cables with m wires arranged in a concentric 
layer, adjacent wires in one section can be kept separated in at most [( m — l)/2] successive 
sections of cable. Show that when m is prime, this upper limit is achieved using the system 
developed in this section. 

Computations and Explorations 

1. Find the maximal ± 1-exponent of each positive integer less than 1000. 

Programming Projects 

1. Given an integer m, find the maximal ± 1-exponent of m. 

2. Develop a scheme for splicing telephone cables as described in this section. 
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Quadratic Residues 


W hen is an integer a a perfect square modulo a prime pi The work of the great 
number theorists Euler, Legendre, and Gauss on this and related questions led to 
the development of much of modem number theory. In this chapter, we develop results, 
both old and new, created in the study of such questions. We first define the concept of a 
quadratic residue, an integer a that is a square modulo p, and establish basic properties 
of quadratic residues. We introduce the Legendre symbol, a notation that tells us whether 
an integer is a quadratic residue of p, and develop its basic properties. We state and prove 
two important criteria, discovered by Euler and by Gauss, for determining whether a is 
a quadratic residue modulo p, and use these criteria to determine whether — 1 and 2 are 
quadratic residues of p. 

We also show that an integer that is a perfect square modulo pq, where p and q 
are primes, has exactly four incongruent square roots modulo pq. Modular square roots 
are used extensively in cryptography, such as in a protocol for fairly choosing a random 
bit (“flipping a coin electronically”). We will also illustrate (in the last section of the 
chapter) how modular square roots can be used in an interactive protocol to show that a 
person has some secret information, without revealing this information. 

Suppose that p and q are distinct odd primes. We can ask whether p is a square 
modulo q and whether q is a square modulo p. Is there any relationship between the 
answers to these two questions? In this chapter, we will show that these answers are 
closely related in a way specified by the famous theorem called the law of quadratic 
reciprocity. This law was observed by Euler and Legendre, and ultimately proved by 
Gauss at the end of the eighteenth century. We will present one of the many proofs of 
this famous theorem, selected because it is one of the easiest to understand. The law of 
quadratic reciprocity has both theoretical and practical implications. We show how it can 
be used in computations and to prove useful results, such as Pepin’s test, which can be 
used to determine whether Fermat numbers are prime. 

The Legendre symbol, which tells us whether an integer is a quadratic residue mod- 
ulo p, can be generalized to the Jacobi symbol. We will establish the basic properties of 
Jacobi symbols and show that they satisfy a reciprocity law that is a consequence of the 
law of quadratic reciprocity. We show how Jacobi symbols can be used to simplify com- 
putations of Legendre symbols. We also use Jacobi symbols to introduce a particular type 
of pseudoprime, known as an Euler pseudoprime, which is an integer that masquerades 
as a prime by satisfying Euler’s criteria for quadratic residues. We will use this concept 
to develop a probabilistic primality test 
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11.1 Quadratic Residues and Nonresidues 

Let p be an odd prime and a an integer relatively prime to p. In this chapter, we devote 
our attention to the question: Is a a perfect square modulo pi We begin with a definition. 

Definition. If m is a positive integer, we say that an integer a is a quadratic residue of 
m if (a, m) = 1 and the congruence x 2 = a (mod m) has a solution. If the congruence 
x 2 = a (mod m) has no solution, we say that a is a quadratic nonresidue of m. 

Example 11.1. To determine which integers are quadratic residues of 1 1 , we compute 
the squares of the integers 1, 2, 3, ... , 10. We find that l 2 = 10 2 = 1 (mod 1 1), 2 2 = 
9 2 = 4 (mod 1 1), 3 2 = 8 2 = 9 (mod 1 1), 4 2 = 7 2 = 5 (mod 1 1), and 5 2 = 6 2 = 3 (mod 
11). Hence, the quadratic residues of 11 are 1, 3, 4, 5, 9; the integers 2, 6, 7, 8, 10 are 
quadratic nonresidues of 1 1 . ◄ 

Note that the quadratic residues of the positive integer m are just the &th power 
residues of m with k = 2, as defined in Section 9.4. We will show that if p is an odd 
prime, then there are exactly as many quadratic residues as quadratic nonresidues of 
p among the integers 1, 2, . . . , p — 1. To demonstrate this fact, we use the following 
lemma. 

Lemma 11.1. Let p be an odd prime and a an integer not divisible by p. Then, the 
congruence 

x 2 = a (mod p) 

has either no solutions or exactly two incongruent solutions modulo p. 

Proof. If x 2 = a (mod p) has a solution, say, x = x 0 , then we can easily demonstrate 
that x = —x 0 is a second incongruent solution. Because (— x 0 ) 2 = xfi = a (mod p), we 
see that — x 0 is a solution. We note that x 0 # — x 0 (mod p), for if x 0 = — x 0 (mod p), 
then we have 2x 0 = 0 (mod p). This is impossible by Lemma 3.5 because p is odd and 
p f x 0 . (We see that p / x 0 by noting that x q= a (mod p) and p / a.) 

To show that there are no more than two incongruent solutions, assume that x = x 0 
and x = x l are both solutions of x 2 = a (mod p). Then we have xfi = x 2 = a (mod p), 
so that Xg - x 2 = (x 0 + x 1 )(x 0 - x : ) = 0 (mod p). Hence, p | (x 0 + x x ) or p | (x 0 - *i), 
so that x 1 = — x 0 (mod p) or x l = x 0 (mod p). Therefore, if there is a solution of x 2 = a 
(mod p), there are exactly two incongruent solutions. ■ 

This leads us to the following theorem. 

Theorem 11.1. If p is an odd prime, then there are exactly (p — 1) /2 quadratic residues 
of p and (p — l)/2 quadratic nonresidues of p among the integers 1 , 2, . . . , p — 1 . 

Proof. To find all the quadratic residues of p among the integers 1, 2, . . . , p — 1, we 
compute the least positive residues modulo p of the squares of the integers 1, 2, . . . , p — 
1. Because there are p — 1 squares to consider, and because each congruence x 2 = a (mod 
p) has either zero or two solutions, there must be exactly (p — 1) /2 quadratic residues of 
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p among the integers 1, 2, . . . , p — 1. The remaining p — 1 — (p — l)/2 = (p - l)/2 
positive integers less than p — 1 are quadratic nonresidues of p. m 

Primitive roots and indices, studied in Chapter 9, provide an alternative method for 
proving results about quadratic residues. 

Theorem 11.2. Let p be a prime and let r be a primitive root of p. If a is an integer 
not divisible by p, then a is a quadratic residue of p if ind r a is even, and a is a quadratic 
nonresidue of p if ind r a is odd. 

Proof. Suppose that ind r a is even. Then (r md r°/ 2 ) 2 = a (mod p), which shows that a 
is a quadratic residue of p. Now suppose that a is a quadratic residue of p. Then there 
exists an integer x such that x 2 = a (mod p). It follows that ind r x 2 = ind r a. By Part (iii) 
of Theorem 9.16, it follows that 2 ■ ind r x = ind r a (mod 0 (/?)), so ind r a is even. We have 
shown that a is a quadratic residue of p if and only if ind r a is even. It follows that a is 
a quadratic nonresidue of p if and only if ind r a is odd. ■ 

Note that by Theorem 11.2, every primitive root of an odd prime p is a quadratic 
nonresidue of p. 

We illustrate how the relationship between primitive roots and indices and quadratic 
residues can be used to prove results about quadratic residues by giving an alternative 
proof of Theorem 11.1. 

Proof Let p be an odd prime with primitive root r. By Theorem 11.2, the quadratic 
residues of p among the integers 1, 2, 1 are those with even index to the base 
r. It follows that the quadratic residue of p in this set are the least positive residues of 
r k , where k is an even integer with 1 < k < p — 1. The result follows because there are 
exactly (p — l)/2 such integers. ■ 

The special notation associated with quadratic residues is described in the following 
definition. 

Definition. Let p be an odd prime and a be an integer not divisible by p . The Legendre 
symbol is defined by 

I I if a is a quadratic residue of p\ 

— 1 if a is a quadratic nonresidue of p. 

This symbol is named after the French mathematician Adrien-Marie Legendre, who 
introduced the use of this notation. 

Example 11.2. The previous example shows that the Legendre symbols (^), a = 
1, 2, ... , 10, have the following values: 

(a-(s)-(a-(a-(8)-‘ 

(n)-©-(3-©-©=- 
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We now present a criterion for deciding whether an integer is a quadratic residue of 
a prime. This criterion is useful in demonstrating properties of the Legendre symbol. 

Theorem 11.3. Euler's Criterion. Let p be an odd prime and let a be an integer not 
divisible by p. Then 

^ (mod p). 

Proof. First, assume that ^ | ^ = 1. Then, the congruence x 2 = a (mod p) has a solution, 
say x = Xq. Using Fermat’s little theorem, we see that 

fl (p-i)/2 = ( x 2 ) (p_1/2) =xf 1 = l (mod p). 

Hence, if = 1, we know that (mod p). 

Now consider the case where = — 1. Then the congruence x 2 = a (mod p) has 
no solutions. By Corollary 4.11.1, for each integer i with (i, p) = 1 there is an integer 
j such that ij = a (mod p). Furthermore, because the congruence x 2 = a (mod p) has 
no solutions, we know that i ^ j. Thus, we can group the integers 1, 2, . . . , p — 1 into 
(p — l)/2 pairs, each with product a. Multiplying these pairs together, we find that 

(p — 1)! = (mod p). 

Because Wilson’s theorem tells us that (p - 1) ! = — 1 (mod p), we see that 
-1 = a (p_1) / 2 (mod p). 

In this case, we also have = aS p ~^l 2 (mod p). ■ 

Example 11.3. Let p = 23 and a = 5. Because 5 11 = — 1 (mod 23), Euler’s criterion 
tells us that = — 1. Hence, 5 is a quadratic nonresidue of 23. ◄ 

We now prove some properties of the Legendre symbol. 


ADRIEN-MARIE LEGENDRE (1752-1833) was bom into a well-to-do fam- 
ily. Ife was a professor at the Ecole Militaire in Paris from 1775 to 1780. In 
1795, he was appointed professor at the Ecole Noimale. His memoir Recherches 
d’ Analyse Indetetminie , published in 1785, contains a discussion of the law of 
quadratic reciprocity, a statement of Dirichlet’s theorem on primes in arithmetic 
progressions, and a discussion of the representation of positive integers as the 
sum of three squares. He established the n — 5 case of Fermat’s last theorem. 
Legendre wrote a textbook on geometry, Elements de giometrie, that was used 
for more than 100 years and served as a model for other textbooks. Legendre made fundamental 
discoveries in mathematical astronomy and geodesy, and gave the first treatment of die law of least 
squares. 
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Theorem 11.4. Let p be an odd prime and a and b be integers not divisible by p. Then 
(i) if a = b (mod p), then = (| ); 

»(*)(*)-(*> 

0 «) (t) = '■ 

Proof of (i). If a = b (mod p), then x 2 = a (mod p) has a solution if and only if x 2 = b 
(mod p) has a solution. Hence 

Proof of ( ii ). By Euler’s criterion, we know that 

^ (mod p), ^ = b (p_1)/2 (mod p), 

and 

^ — ( ab i)0> -1 )/ 2 (mod p). 

Hence, 

s a (P-W b (P-W = (ab) (P- m s ( mod p). 

Because the only possible values of a Legendre symbol are ±1, we conclude that 

Proof of (iii). Because = ±1, from part (ii) it follows that 

©-©(I)-'- 

Part (ii) of Theorem 1 1.4 has the following interesting consequence. The product of 
two quadratic residues, or of two quadratic nonresidues, of a prime is a quadratic residue 
of that prime, whereas the product of a quadratic residue and a quadratic nonresidue of 
a prime is a quadratic nonresidue. 

Relatively simple proofs of Theorems 11.3 and 11.4 can be constructed using the 
concepts of primitive roots and indices, together with Theorem 1 1.2. (See Exercises 30 
and 31 at the end of this section.) 

When is -1 a Quadratic Residue of the Prime p? 

For which odd primes not exceeding 20 is — 1 a quadratic residue? Because 2 2 = — 1 (mod 
5), 5 2 = — 1 (mod 13), and 4 2 = — 1 (mod 17), we see that — 1 is a quadratic residue of 5, 
13, and 17. However, it is easy to see (as the reader should verify) that the congruence 
x 2 = — 1 (mod p) has no solution when p = 3, 7, 11, and 19. This evidence leads to the 
conjecture that — 1 is a quadratic residue of the prime p if and only if p = 1 (mod 4). 
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Using Euler’s criterion, we can prove this conjecture. 

Theorem 11.5. If p is an odd prime, then 

I 1 if p = 1 (mod 4); 

{-1 if p = — 1 (mod 4). 

Proof. By Euler’s criterion, we know that 

— — (-l) (p_1)/2 (mod p). 

If p = 1 (mod 4), then p = 4k + 1 for some positive integer k. Thus, 

(-1)0>-W2 = ( — d 2 * =1 , 

so that = 1. If p = 3 (mod 4), then p = 4k + 3 for some positive integer k. Thus, 

(_1)(P-1)/2 = (_ 1 )2*+1__ 1> 

so that = — 1. ■ 

Gauss’s Lemma 

The following elegant result of Gauss provides another criterion to determine whether 
an integer a relatively prime to the prime p is a quadratic residue of p. 

Lemma 11.2. Gauss’s Lemma. Let p be an odd prime and a an integer with (a, p) = 
1. If s is the number of least positive residues of the integers a, 2a, 3a, , {{p — l)/2 )a 
that are greater than p/2, then = (— l) 4 '. 

Proof. Consider the integers a, 2a, . . . , ((p — l)/2)a. Let w 1; u 2 , . . . , u s be the least 
positive residues of those that are greater than p/2, and let u 1; v 2 , . . . , v t be the least 
positive residues of those integers that are less than p/2. Because ( ja , p) = 1 for all j 
with 1 < j < (p — l)/2, these least positive residues are in the set 1, 2, . . . , p — 1. 

We will show that p — u h p — u 2 , . . . , p — u s , u 1; v 2 , . . . , v t comprise the set of 
integers 1, 2, . . . , (p — 1) /2, in some order. To see this, we need only show that no two 
of these integers are congruent modulo p, because there are exactly (p — l)/2 numbers 
in the set and all are positive integers not exceeding (p — l)/2. 

Clearly, no two of the u t are congruent modulo p and no two of the Vj are congruent 
modulo p; if a congruence of either of these two sorts held, we would have ma = na 
(mod p), where m and n are both positive integers not exceeding (p — l)/2. Because 
p X a, this would imply that m = n (mod p), which is impossible. 

In addition, one of the integers p — u t cannot be congruent to a Vj, for if such a 
congruence held, we would have ma = p — na (mod p), so that ma — —na (mod p). 
Because p / a, this would imply that m = —n (mod p), which is impossible because 
both m and n are in the set 1, 2, . . . , (p — l)/2. 
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Now that we know that p — u h p — u 2 , ■ ■ ■ , p — u s , iq, v 2 , . . . , v t are the integers 
1, 2, . . . , (p — l)/2, in some order, we conclude that 

(p - uJCp -u 2 )--(p- u s )v x v 2 • • • v t = 

which implies that 



(11-1) 


(-1 ) s u l u 2 ---u s v l v 2 ---v t 


( e ~y^) ! (mod p ) - 


But, because u h u 2 , . . . , u s , tq, v 2 , ... ,v t are the least positive residues of a, 2a, ... , 
((p — l)/2)a we also know that 


U\U 2 ■ ■ • u s viv 2 • • • v t = a • 2a • • • ((p - l)/2 ))a 

(11.2) ti 

= a 2 ((P — l)/2) ! (mod p). 
Hence, from (11.1) and (11.2), we see that 


(-1 ) s a 2 ((p - l)/2) ! = ((p - l)/2) ! (mod p ). 
Because (p, ((p — l)/2) !) = 1, this congruence implies that 
(-l)' y a £ 2 - = 1 (mod p). 


By multiplying both sides by (— 1)*, we obtain 

a 2 ?* = (-l) ,y (mod p). 

Because Euler’s criterion tells us that a ^ (mod p), it follows that 

= (-1) J (mod p), 

establishing Gauss’s lemma. ■ 

Example 11.4. Let a = 5 and p = 11. To find by Gauss’s lemma, we compute 
the least positive residues of 1 • 5, 2 • 5, 3 ■ 5, 4 ■ 5, and 5 • 5. These are 5, 10, 4, 9, and 
3, respectively. Because exactly two of these are greater than 11/2, Gauss’s lemma tells 
us that = (-1) 2 = 1. ◄ 


When is 2 a Quadratic Residue of a Prime p? 

For which odd primes not exceeding 50 is 2 a quadratic residue? Because 3 2 = 2 (mod 7), 
6 2 = 2 (mod 17), 5 2 = 2 (mod 23), 8 2 = 2 (mod 31), 17 2 = 2 (mod 41), and 7 2 = 2 (mod 
47), we see that 2 is a quadratic residue of 7, 17, 23, 31, 41, and 47. However, x 2 = 2 
(mod p) has no solution when p = 3, 5, 11, 13, 19, 29, 37, and 43 (as the reader should 
verify). Is there a pattern to the primes p for which 2 is a quadratic residue modulo p? 
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Examining these primes and noting that whether 2 is a quadratic residue of p seems to 
depend on the congruence of p modulo 8, we conjecture that 2 is a quadratic residue of 
the odd prime p if and only if p = ±1 (mod 8). Using Gauss’s lemma, we can prove this 
conjecture. 

Theorem 11.6. If p is an odd prime, then 

0) = (-d«' 2 - 1 >/ 8 . 

Hence, 2 is a quadratic residue of all primes p = ± 1 (mod 8) and a quadratic nonresidue 
of all primes p = ±3 (mod 8). 

Proof. By Gauss’s lemma, we know that if s is the number of least positive residues of 
the integers 


1-2, 2-2, 3-2, . . . , Up- l)/2) ■ 2 

that are greater than p/2, then = (— l) s . Because all of these integers are less than p, 
we need only count those greater than p/2 to find how many have least positive residues 
greater than p/2. 


The integer 2/, where 1 < j < (p — l)/2, is less than p/2 when j < p/4. Hence, 
there are [p /4] integers in the set less than p/2. Consequently, there are s = (p — l)/2 — 
[p/4] greater than p/2. Therefore, by Gauss’s lemma, we see that 

0 ) =(-!)¥-[*■/<]. 

To prove the theorem, it is enough to show that for every odd integer p, 


— 1 2 _ i 

(11.3) - [p/4] = (mod 2). 

Note that (11.3) holds for a positive integer p if and only if it holds for p + 8. This 
follows because 

(P + ®~ 1 - [(p + 8)/4] = + 4^ - ([p/4] + 2) = E-Zl - [p/4] (mod 2) 

and 


(p + 8) 2 - 1 
8 


= El-1 + 2p + 8 = El-1 (mod 2). 


Thus, we can conclude that (1 1.3) holds for every odd integer n if it holds for p = ±1 
and ±3. We leave it to the reader to verify that (1 1.3) holds for these four values of p. 

It follows that for every prime p, we have = (— 1) C/* 2 — 1)/8_ 

From the computations of the congruence class of (p 2 - l)/8 (mod 2), we see that 
= 1 if p = ±1 (mod 8), while = - 1 if p = ±3 (mod 8). ■ 
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Example 11.5. By Theorem 1 1.6, we see that 

GMS)-(a-GH 


whereas 


We now present an example to show how to evaluate some Legendre symbols. 

Example 11.6. To evaluate we use P arts (i)» (ii)» and (iii) of Theorem 1 1.4 to 

obtain 


because 317 = 9 (mod 11). 

To evaluate because 89 = —2 (mod 13), we have 

Because 13=1 (mod 4), Theorem 11.5 tells us that (yy) = 1- Because 13 = —3 (mod 
8), we see from Theorem 11.6 that = — 1. Consequently, = — 1. ◄ 

In the next section, we will state and prove one of the most intriguing and challeng- 
ing results of elementary number theory, the law of quadratic reciprocity. This theorem 
relates the values of and where p and q are odd primes. The law of quadratic 
reciprocity has many implications, both theoretical and practical, as we will see through- 
out this chapter. From a computational standpoint, we will see that it can help us evaluate 
Legendre symbols. 

Modular Square Roots 

Suppose that n = pq, where p and q are distinct odd primes, and suppose that the 
congruence x 2 = a (mod n), where 0 < a <n and (a, n) = 1, has a solution x = x 0 . We 
will show that there are exactly four incongruent solutions modulo n. In other words, we 
will show that a has four incongruent square roots modulo n. To see this, let x 0 = xy (mod 
p), 0 < xi < p, and let x 0 = x 2 (mod q), 0 <x 2 < q . Then the congruence x 2 = a (mod p) 
has exactly two incongruent solutions modulo p, namely, jc = xy (mod p) andx = p — x x 
(mod p). Similarly, the congruence x 2 = a (mod#) has exactly two incongruent solutions 
modulo q, namely, x = x 2 (mod q) and x = q — x 2 (mod q). 
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From the Chinese remainder theorem, there are exactly four incongruent solutions of 
the congruence x 2 = a (mod n); these four incongruent solutions are the unique solutions 
modulo pq of the four sets of simultaneous congruences: 


(i) 

x =xi (mod p) 

(iii) 

x = p — x i (mod p) 


x = x 2 (mod q). 


x = x 2 (mod q), 

(ii) 

x = xi (mod p) 

(iv) 

x = p — xi (mod p) 


x = q — x 2 (mod q), x = q — x 2 (mod q). 

We denote solutions of (i) and (ii) by x and y, respectively. Solutions of (iii) and (iv) are 
easily seen to be n — y and n — x, respectively. 

We also note that when p = q = 3 (mod 4), the solutions of x 2 = a (mod p) and of 
x 2 = a (mod q) are x = ±a^ p+l ^ 4 (mod p) and x = ±a^+b/ 4 (mod q), respectively. 
By Euler’s criterion, we know that a (p ~ 1 ^ 2 = = 1 (mod p) and aS q ~^! 2 = = 1 

(mod q) (recall that we are assuming that x 2 = a (mod pq) has a solution, so that a is a 
quadratic residue of both p and q). Hence, 

( a (p+!)/ 4 ) 2 _ a (p+ 1)/2 _ a (p- 1)/2 . a = a ( mo d p) 

and 

(a^+D/4)2 = a (?+D/2 = a (q- D/2 . fl = a (mod q). 

Using the Chinese remainder theorem, together with the explicit solutions just 
constructed, we can easily find the four incongruent solutions of x 2 = a (mod n). The 
following example illustrates this procedure. 

Example 11.7. Suppose that we know a priori that the congruence 
x 2 = 860 (mod 11,021) 

has a solution. Because 11,021 = 103 • 107, to find the four incongruent solutions we 
solve the congruences 

x 2 = 860 = 36 (mod 103) 
and 

x 2 = 860 = 4 (mod 107). 

The solutions of these congruences are 

x = ±36 (103+1)/4 = ±36 26 = ±6 (mod 103) 
and 

x = ±4< 107+1) / 4 = ±4 27 = ±2 (mod 107), 

respectively. Using the Chinese remainder theorem, we obtain x = ±212, ±109 (mod 
1 1 ,021 ) as the solutions of the four systems of congruences described by the four possible 
choices of signs in the system of congruences x = ±6 (mod 103), x = ±2 (mod 107). 
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Flipping Coins Electronically 

An interesting and useful application of the properties of quadratic residues is a method to 
“flip coins” electronically, invented by Blum [B182] . This method takes advantage of the 
difference in the length of time needed to find primes and needed to factor integers that 
are the products of two primes, also the basis of the RSA cipher discussed in Chapter 8. 

We now describe a method for electronically flipping coins. Suppose that Bob and 
Alice are communicating electronically. Alice picks two distinct large primes p and q, 
with p = q = 3 (mod 4). Alice sends Bob the integer n = pq. Bob picks, at random, 
a positive integer x less than n and sends to Alice the integer a with x 2 = a (mod n), 
0 < a <n. Alice finds the four solutions of x 2 = a (mod n), namely, x, y, n — x, and 
n — y. Alice picks one of these four solutions and sends it to Bob. Note that because 
x + y = 2x x 0 (mod p) and x + y = 0 (mod q), we have (x + y,n)=q, and, similarly, 
(x + (n — y), n) = p. Thus, if Bob receives either y or n — y, he can rapidly factor n 
by using the Euclidean algorithm to find one of the two prime factors of n. On the other 
hand, if Bob receives either jc or n — x, he has no way to factor n in a reasonable length 
of time. 

Consequently, Bob wins the coin flip if he can factor n, whereas Alice wins if Bob 
cannot factor n. From previous comments, we know that there is an equal chance for 
Bob to receive a solution of x 2 = a (mod n) that helps him rapidly factor n, or a solution 
of x 2 = a (mod n) that does not help him factor n. Hence, the coin flip is fair. 


11.1 Exercises 

1. Find all of the quadratic residues of each of the following integers, 

a) 3 b) 5 c) 13 d) 19 

2. Find all of the quadratic residues of each of the following integers, 

a) 7 b) 8 c) 15 d) 18 

3. Find the value of the Legendre symbols for j = 1, 2, 3, 4. 

4. Find the value of the Legendre symbols for j = 1, 2, 3, 4, 5, 6. 

5. Evaluate the Legendre symbol 

a) using Euler’s criterion. 

b) using Gauss’s lemma. 

6. Let a and b be integers not divisible by the prime p. Show that either one or all three of the 
integers a, b, and ab are quadratic residues of p. 

7. Show that if p is an odd prime, then 

/ ~2 \ _ | 1 if p = 1 or 3 (mod 8); 

y p ) ~ | -1 if p = —1 or -3 (mod 8). 
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8. Show that if the prime-power factorization of n is 


. 2^+1 n 2r *+i . . . n 2r 

Pk Pk + 1 Pm 


and q is a prime not dividing n, then 


;)-(?)(?)-(?)• 


9. Show that if p is prime and p = 3 (mod 4), then [(p - l)/2]! = (-1)' (mod p), where t is 
the number of positive integers less than p/2 that are nonquadratic residues of p. 

10. Show that if b is a positive integer not divisible by the prime p, then 

(h\ , (2 b\ , (3b\ , , fip-Db\_ n 


+ /2 b\ + /36\ 

\p) \p) \p) 


11. Let p be prime and a be a quadratic residue of p. Show that if p = 1 (mod 4), then —a is also 
a quadratic residue of p, whereas if p = 3 (mod 4), then —a is a quadratic nonresidue of p. 

12. Consider the quadratic congruence ax 2 + bx + c = 0 (mod p), where p is prime and a, b, 
and c are integers with p / a. 

a) Let p = 2. Determine which quadratic congruences (mod 2) have solutions. 

b) Let p be an odd prime and let d = b 2 — 4 ac. Show that the congruence ax 2 + bx + c = 0 
(mod p) is equivalent to the congruence y 2 = d (mod p), where y = 2 ax + b. Conclude 
that if d = 0 (mod p), then there is exactly one solution x modulo p\ if d is a quadratic 
residue of p, then there are two incongruent solutions; and if d is a quadratic nonresidue 
of p, then there are no solutions. 

13. Find all solutions of the following quadratic congruences. 

a) x 2 + jc + 1 = 0 (mod 7) 

b) x 2 + 5x + 1 = 0 (mod 7) 

c) x 2 + 3x + 1 = 0 (mod 7) 

14. Show that if p is prime and p > 1, then there are always two consecutive quadratic residues 
of p. (Hint: First show that at least one of 2, 5, and 10 is a quadratic residue of p.) 

* 15. Show that if p is prime and p > 7, then there are always two quadratic residues of p that 

differ by 2. 

16. Show that if p is prime and p > 7, then there are always two quadratic residues of p that 
differ by 3. 

17. Show that if a is a quadratic residue of the prime p, then the solutions of x 2 = a (mod p) are 

a) x = ±a n+1 (mod p), if p = 4n + 3. 

b) jc = ±a n+1 or ±2 2n+l a n+l (mod p), if p = 8n + 5. 

* 18. Show that if p is a prime and p = 8n + 1, and r is a primitive root modulo p , then the solutions 

of x 2 = ±2 (mod p) are given by 

x = ±(r ln ± r n ) (mod p), 

where the ± sign in the first congruence corresponds to the ± sign inside the parentheses in 
the second congruence. 
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19. Find all solutions of the congruence jc 2 = 1 (mod 15). 

20. Find all solutions of the congruence jc 2 = 58 (mod 77). 

21. Find all solutions of the congruence jc 2 = 207 (mod 1001). 

22. Let p be an odd prime, e a positive integer, and a an integer relatively prime to p. Show that 
the congruence x 2 = a (mod p e ) has either no solutions or exactly two incongruent solutions. 

* 23. Let p be an odd prime, e a positive integer, and a an integer relatively prime to p. Show that 

there is a solution to the congruence x 2 = a (mod p e+l ) if and only if there is a solution to 
the congruence x 2 = a (mod p e ). Use Exercise 22 to conclude that the congruence x 2 = a 
(mod p e ) has no solutions if a is a quadratic nonresidue of p, and exactly two incongruent 
solutions modulo p if a is a quadratic residue of p. 

24. Let n be an odd integer. Find the number of incongruent solutions modulo n of the congruence 
x 2 = a (mod n), where n has prime-power factorization n = p\p 2 • • • p‘™, in terms of the 
Legendre symbols , . . . , (jr)- (Hint: Use Exercise 23.) 

25. Find the number of incongruent solutions of each of the following congruences. 

a) x 2 = 31(mod75) c) x 2 = 46 (mod 231) 

b) x 2 = 16 (mod 105) d) jc 2 = 1 156 (mod 3 2 5 3 7 5 1 1 6 ) 

* 26. Show that the congruence x 2 = a (mod 2 e ), where e is an integer, e > 3, has either no solutions 

or exactly four incongruent solutions. (Hint: Use the fact that (due ) 2 = (2 e_1 ± jc ) 2 (mod 2 e ).) 
27. Show that there are infinitely many primes of the form 4k + 1. (Hint: Assume that p h p 2 , , 
p n are the only such primes. Form N = 4 (p\p 2 • • • p n ) 2 + 1, and show, using Theorem 1 1 .5, 
that N has a prime factor of the form 4k + 1 that is not one of p h p 2 , . . . , p n .) 

* 28. Show that there are infinitely many primes of each of the following forms. 

a) Sk + 3 b) Sk + 5 c) Sk + 7 

(Hint: For each part, assume that there are only finitely many primes p h p 2 , . . . , p n of the 
particular form. For part (a), look at (p\p 2 • • ■ p n ) 2 + 2; for part (b), look at (p\p 2 • • • p n ) 2 + 
4; and for part (c), look at (4 p x p 2 • • • p n ) 2 - 2. In each part, show that there is a prime factor 
of this integer of the required form not among the primes p h p 2 , ... , p n . Use Theorems 11.5 
and 11.6.) 

29. Let p and q be odd primes with p = q = 3 (mod 4) and let a be a quadratic residue of n = pq. 
Show that exactly one of the four incongruent square roots of a modulo pq is a quadratic 
residue of n. 

30. Prove Theorem 1 1.3 using the concept of primitive roots and indices. 

31. Prove Theorem 1 1 .4 using the concept of primitive roots and indices. 

32. Let p be an odd prime. Show that there are (p — l)/2 — 4>(p — 1) quadratic nonresidues of 
p that are not primitive roots of p. 

* 33. Let p and q = 2p + 1 both be odd primes. Show that the p — 1 primitive roots of q are the 

quadratic nonresidues of q, other than the nonresidue 2p of q. 

* 34. Show that if p and q = 4p + 1 are both primes and if a is a quadratic nonresidue of q with 

ord q a / 4, then a is a primitive root of q. 

* 35. Show that a prime p is a Fermat prime if and only if every quadratic nonresidue of p is also 

a primitive root of p. 
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* 36. Show that a prime divisor p of the Fermat number F n = 2 2 " + 1 must be of the form 2 n+2 k + 1. 

(Hint: Show that ord p 2 = 2 n+1 . Then show that 2 (p ~ 1 ^ 2 = 1 (mod p) using Theorem 11.6. 
Conclude that 2 n+1 1 (p - l)/2.) 

* 37. a) Show that if p is a prime of the form 4k + 3 and q = 2p + 1 is prime, then q divides the 

Mersenne number M p = 2 P — 1. (Hint: Consider the Legendre symbol (f )•) 
b) From part (a), show that 23 | M\\, 47 | Af 2 3 , and 503 | M 2 51 . 

* 38. Show that if n is a positive integer and 2n + 1 is prime, and if n = 0 or 3 (mod 4), then 2n + 1 

divides the Mersenne number M n = 2 n — 1, whereas if n = 1 or 2 (mod 4), then 2n + 1 divides 
M n + 2 = 2 n + 1. (Hint: Consider the Legendre symbol an< ^ use Theorem 1 1.5.) 

39. Show that if p is an odd prime, then every prime divisor q of the Mersenne number M p must 
be of the form q = Sk ± 1, where k is a positive integer. (Hint: Use Exercise 38.) 

40. Show how Exercise 39, together with Theorem 7.1 2, can be used to help show that M 17 is 
prime. 

* 41. Show that if p is an odd prime, then 

gm- 

(Hint: First show that , where J is an inverse j of modulo p.) 

* 42. Let p be an odd prime. Among pairs of consecutive positive integers less than p, let (RR), 

(RN), (NR), and (NN) denote the number of pairs of two quadratic residues, of a quadratic 
residue followed by a quadratic nonresidue, of a quadratic nonresidue followed by a quadratic 
residue, and of two quadratic nonresidues, respectively. 

a) Show that 

(RR) + (RN) = 

(NR) + (NN) = 

(RR) + (NR) = 

(RN) + (NN) = 

b) Using Exercise 41 , show that 

J2 ( ;(7 * = (RR) + (NN) - (RN) - (NR) = -1. 

c) From parts (a) and (b), find (RR), (RN), (NR), and (NN). 

43. Use Theorem 9.16 to prove Theorem 11.1. 

* 44. Let p and q be odd primes. Show that 2 is a primitive root of q, if q = 4p + 1. 


i(p- 2— (— 1)«-‘>' 2 ) 
i(p- 2+(— l/f-W 2 ) 
\ (P - 1) - 1 
\(P ~ »■ 
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* 45. Let p and q be odd primes. Show that 2 is a primitive root of q, if p is of the form 4k + l 

and q = 2p + 1 . 

* 46. Let p and q be odd primes. Show that -2 is a primitive root of q, if p is of the form 4k — 1 

and q = 2p + 1 . 

* 47. Let p and q be odd primes. Show that —4 is a primitive root of q, if q = 2p + 1. 

48. Find the solutions of x 2 = 482 (mod 2773) (note that 2773 = 47 • 59). 

* 49. In this exercise, we develop a method for decrypting messages encrypted using a Rabin cipher. 

Recall that the relationship between a ciphertext block C and the corresponding plaintext 
block P in a Rabin cipher is C = P(P + 2b) (mod n), where n = pq, p and q are distinct 
odd primes, and b is a positive integer less than n. 

a) Show that C + a = (P + 2b) 2 (mod n), where a = (2b) 2 (mod n), and 2 is an inverse of 
2 modulo n. 

b) Using the algorithm in the text for solving congruences of the type x 2 = a (mod n), 
together with part (a), show how to find a plaintext block P from the corresponding ci- 
phertext block C . Explain why there are four possible plaintext messages. (This ambiguity 
is a disadvantage of Rabin ciphers.) 

c) Decrypt the ciphertext message 1819 0459 0803 that was encrypted using the Rabin 
cryptosystem with b = 3 and n = 47 • 59 = 2773. 

50. Let p be an odd prime, and let C be the ciphertext obtained in modular exponentiation, with 
exponent e and modulus p, from the plaintext P, that is, C = P e (mod p), 0 < C < n, where 
(e,p - 1) = 1. Show that C is a quadratic residue of p if and only if P is a quadratic residue 
of p. 

* 51. a) Show that the second player in a game of electronic poker (see Section 8 . 6 ) can obtain an 

advantage by noting which cards have numerical equivalents that are quadratic residues 
modulo p. (Hint: Use Exercise 50.) 

b) Show that the advantage of the second player noted in part (a) can be eliminated if the 
numerical equivalents of cards that are quadratic nonresidues are all multiplied by a fixed 
quadratic nonresidue. 

* 52. Show that if the probing sequence for resolving collisions in a hashing scheme is hj(K) = 

h(K) + aj + bj 2 (mod m), where h(K) is a hashing function, m is a positive integer, and a 
and b are integers with (b, m) = 1, then only half the possible file locations are probed. This 
is called the quadratic search. 

We say that x and y form a chain of quadratic residues modulo p if x, y, and x + y are all 

quadratic residues modulo p. 

53. Find a chain x, y, x + y of quadratic residues modulo 11. 

54. Is there a chain of quadratic residues modulo 7? 


Computations and Explorations 

1. Find the value of each of the following Legendre symbols: ( 45 ^ 79 ), ( 21 15^500*207 )’ anc * 
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2. Show that the prime p = 30,059,924,764,123 has = - 1 for all primes q with 2 < q < 
181. 

3 . A set of integers x\,x 2 , , x n , where n is a positive integer, is called chain of quadratic 
residues if all sums of consecutive subsets of these numbers are quadratic residues. Show 
that the integers 1 , 4, 45, 94, 26 1 , 3 10, 344, 387, 393, 394, and 456 form a chain of quadratic 
residues modulo 631 . (Note: There are 66 values to check.) 

4. Find the smallest quadratic nonresidue of each prime less than 1000. 

5. Find the smallest quadratic nonresidue of 100 randomly selected primes between 100,000 
and 1,000,000, and 100 randomly selected primes between 100,000,000 and 1,000,000,000. 
Can you make any conjectures based on your evidence? 

6. Use numerical evidence to determine for which odd primes p there are more quadratic 
residues a of p with 1 < a < (p — l)/2 than there are with (p + l)/2 <a < p — 1. 

7. Let p be a prime with p = 3 (mod 4). It has been proved that if R is the largest number of 
consecutive quadratic residues of p and N is the largest number of consecutive quadratic 
nonresidues of p, then R = N < Jp. Verify this result for all primes of this type less than 
1000. 

8. Let p be a prime with p = 1 (mod 4). It has been conjectured that if N is the largest number 
of consecutive quadratic nonresidues of p, then N < Jp when p is sufficiently large. Find 
evidence for this conjecture. For which small primes does this inequality fail? 

9. Find the four modular square roots of 4,609,126 modulo 14,438,821 = 4003 • 3607. 

10 . Find the square roots of 1 1,535 modulo 142,661. Which one is a quadratic residue of 142,661 ? 

Programming Projects 

1. Evaluate Legendre symbols using Euler’s criterion. 

2. Evaluate Legendre symbols using Gauss’s lemma. 

3 . Given a positive integer n that is the product of two distinct primes both congruent to 3 modulo 
4, fi nd the four square roots of the least positive residue of x 2 , where x is an integer relatively 
prime to n. 

* 4. Flip coins electronically using the procedure described in this section. 

* * 5. Decrypt messages that were encrypted using a Rabin cryptosystem (see Exercise 49). 


1 1 .2 The Law of Quadratic Reciprocity 

Suppose that p and q are distinct odd primes. Suppose further that we know whether 
q is a quadratic residue of p. Do we also know whether p is a quadratic residue of ql 
The answer to this question was found by Euler in the mid- 1700s. He found the answer 
by examining numerical evidence, but he did not prove that his answer was correct. 
Later, in 1785, Legendre reformulated Euler’s answer, in its modem, elegant form, in 
(^/ a theorem known as the law of quadratic reciprocity. This theorem tells us whether the 
congruence x 2 = q (mod p) has solutions, once we know whether there are solutions of 
x 2 = p (mod q). 
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Theorem 11.7. The Law of Quadratic Reciprocity. Let p and q be distinct odd 
primes. Then 

Legendre published several proposed proofs of this theorem, but each of his proofs 
contained a serious gap. The first correct proof was provided by Gauss, who claimed 
to have rediscovered this result when he was 18 years old. Gauss devoted considerable 
attention to his search for a proof. In fact, he wrote that “for an entire year this theorem 
tormented me and absorbed my greatest efforts until at last I obtained a proof.” 

Once Gauss found his first proof in 1796, he continued searching for additional 
proofs. He found at least six different proofs of the law of quadratic reciprocity. His goal 
in looking for more proofs was to find an approach that could be generalized to higher 
powers. In particular, he was interested in cubic and biquadratic residues of primes; that 
is, he was interested in determining when, given a prime p and an integer a not divisible 
by p, the congruences x 3 = a (mod p) and x 4 = a (mod p) are solvable. With his sixth 
proof, Gauss finally succeeded in his goal, as this proof could be generalized to higher 
powers. (See [IrRo95], [Go98], and [LeOO] for more information about Gauss’s proofs 
and the generalization to higher power residues.) 

Finding new and different approaches did not stop with Gauss. Some of the well- 
known mathematicians who have published original proofs of the law of quadratic 
reciprocity are Cauchy, Dedekind, Dirichlet, Kronecker, and Eisenstein. One count in 
1921 stated that there were 56 different proofs of the law of quadratic reciprocity, and in 
1963 an article publishedby M. Gerstenhaber [Ge63] offered the 152nd proof of the law 
of quadratic reciprocity. In 2000, Franz Lemmermeyer [LeOO] compiled a comprehensive 
list of 192 proofs of quadratic reciprocity, noting for each proof the year, the prover, and 
the method of proof. Lemmermeyer maintains a current version of this on the Web; as 
of early 2010, 233 different proofs were listed. Not only does he add new proofs to this 
list, but he also adds overlooked older proofs. According to his count, Gerstenhaber’ s 
proof is number 159, and 34 of the proofs were completed in the last ten years. It will 
be interesting to see if new proofs continue to be found at the rate of one per year. 
(See Exercise 17 for an outline of the 221st proof.) Although many of the different 
proofs of the law of quadratic reciprocity are similar, they encompass an amazing variety 
of approaches. The ideas in different approaches can have usefixl consequences. For 
example, the ideas behind Gauss’s first proof, which is a complicated argument using 
mathematical induction, were of little interest to mathematicians for more than 175 years, 
until they were used in the 1970s in computations in an advanced area of algebra known 
as K-theory. 

The version of the law of quadratic reciprocity that we have stated and proved is 
different from the version originally conjectured by Euler. This version, which we now 
state, turns out to be equivalent to the version we have stated as Theorem 11.7. Euler 
formulated this version based on the evidence of many computations of special cases. 
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Theorem 11.8. Suppose that p is an odd prime and a is an integer not divisible by p. 
If q is a prime with p = ±q (mod 4a), then 

This version of the law of quadratic reciprocity shows that the value of the Legendre 
symbol depends only on the residue class of p modulo 4a, and that the value of 
takes the same value for all primes p with remainder r or 4a — r when divided by 4a. 

We leave it to the reader as Exercises 10 and 1 1 to show that this form of the law of 
quadratic reciprocity is equivalent to the form given in Theorem 11.7. We also ask the 
reader to prove, in Exercise 12, this form of quadratic reciprocity directly, using Gauss’s 
lemma. 

Before we prove the law of quadratic reciprocity, we will discuss its consequences 
and how it is used to evaluate Legendre symbols. We first note that the quantity (p — l)/2 
is even when p = 1 (mod 4) and odd when p = 3 (mod 4). Consequently, we see that 
^ is even if p = 1 (mod 4) or q = 1 (mod 4), whereas ^ is odd if p = q = 3 

(mod 4). Hence, we have 

1 if p = 1 (mod 4) or q = 1 (mod 4) (or both); 
WVp/l- 1 if = 3 (mod 4). 

Because the only possible values of and are ±1, we see that 

if p = 1 (mod 4) or q = 1 (mod 4) (or both); 

- ( f ) if p = q = 3 (mod 4). 

This means that if p and q are odd primes, then unless both p and q are 

congruent to 3 modulo 4, and in that case, . 

Example 11.8. Let p = 13 and q = 17. Because p = q = 1 (mod 4), the law of qua- 
dratic reciprocity tells us that ^ By part (i) of Theorem 1 1.4, we know that 

and from part (iii) of Theorem 11.4, it follows that = 1. 

Combining these equalities, we conclude that = 1. ◄ 

Example 11.9. Let p = 7 and q = 19. Because p = q = 3 (mod 4), by the law of 
quadratic reciprocity, we know that = - (t)- From (i) of Theorem 11.4, 
we see that = (f)- Again, using the law of quadratic reciprocity, because 5=1 
(mod 4) and 7 = 3 (mod 4), we have ^ By part (i) of Theorem 11.4 and 

Theorem 11.6, we know that = -1. Hence, = 1. ◄ 
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We can use the law of quadratic reciprocity and Theorems 1 1.4 and 1 1.6 to evaluate 
Legendre symbols. Unfortunately, prime factorizations must be computed to evaluate 
Legendre symbols in this way. 

Example 11.10. We will calculate (note that 1009 is prime). We factor 713 = 

23 • 31, so that by part (ii) of Theorem 1 1.4, we have 

/ 713 \ _ / 23 • 31 \ _ / 23 \/ 31 \ 

\1009/ “ \ 1009 ) ~ \ 1009/ \ 1009/ 

To evaluate the two Legendre symbols on the right side of this equality, we use the law 
of quadratic reciprocity. Because 1009 = 1 (mod 4), we see that 

/ 23 \ _ / 1009 \ / 31 \ _ / 1009 \ 

\1009/ V 23 /’ \1009/ V 31 / 

Using Theorem 1 1.4, part (i), we have 

(”)-(!)■ (^)-(S)- 

By parts (ii) and (iii) of Theorem 1 1.4, it follows that 

The law of quadratic reciprocity, part (i) of Theorem 1 1.4, and Theorem 1 1.6 tell us that 

Thus, = -1. 

Likewise, using the law of quadratic reciprocity, Theorem 1 1.4, and Theorem 1 1.6, 
we find that 

©-(S)-(S)-(s)(s)-(h)-(t)-(I) 

Consequently, ( 1 ^ 59 ) = —1. 

Therefore, = (-1)(-1) = 1. ◄ 

A Proof of the Law of Quadratic Reciprocity 

We now present a proof of the law of quadratic reciprocity originally given by Max Eisen- 
stein. This proof is a simplification of the third proof given by Gauss . This simplification 
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was made possible by the following lemma of Eisenstein, which will help us reduce the 
proof of the law of quadratic reciprocity to counting lattice points in triangles. 


Lemma 11.3. If p is an odd prime and a is an odd integer not divisible by p , then 


where 


(P-D/2 

T (a, p)= [ja/pl 
7= 1 

Proof Consider the least positive residues of the integers a, 2a, , ((p — l)/2 )a ; let 
u\, u 2 , . . . , u s be those greater than p/2 and let uj, u 2 , . . . , u, be those less than p/2. 
The division algorithm tells us that 

ja = p[ja/p] + remainder. 


where the remainder is one of the Uj or Vj. By adding the (p — l)/2 equations of this 
sort, we obtain 

(P-D/2 (p-l)/2 * t 

(11.4) ja = p[ja/p\ + uj + v j- 

7=1 7=1 7=1 7=1 

As we showed in the proof of Gauss’s lemma, the integers p — uj, . . . , p — u s , 
v\, . . ., v t are precisely the integers 1, 2, . . . , (p — l)/2, in some order. Hence, summing 


FERDINAND GOTTHOLD MAX EISENSTEIN (1823-1852) suffered 
from poor health his entire life. He moved with his family to England, Ire- 
land, and Wales before returning to Germany. In Ireland, Eisenstein met Sir 
Wiliam Rowan Hamilton, who stimulated his interest in mathematics by giv- 
ing him a paper that discussed die impossibility of solving quindc equations in 
radicals. On his return to Germany in 1843, at the age of 20, Eisenstein entered 
die University of Berlin. 

Eisenstein amazed die mathematical community when he quickly began producing new results 
soon after entering the university. In 1844, Eisenstein met Gauss in Gottingen, where they discussed 
reciprocity for cubic residues. Gauss was extremely impressed by Eisenstein, and tried to obtain 
financial support for him. Gauss wrote to the explorer and scientist Alexander von Humboldt that 
die talent Eisenstein had was “that nature bestows upon only a few in each century.” Eisenstein was 
amazingly prolific. In 1 844, he published 16 papers in Volume 27 of Civile 's Journal alone. In the third 
semester of his studies, he received an honorary doctorate from the University of Breslau. Eistenstein 
was appointed to an unsalari ed position as a Privatdozent at the University of Berlin; however, after 
1847, Eisenstein’s health worsened so much that he was mosdy confined to bed. Nevertheless, bis 
mathematical output continued unabated. After spending a year in Sicily in a futile attempt to improve 
his health, he returned to Germany, where he died from tuberculosis at the age of 29. His early death 
was considered a tremendous loss by mathematicians. 
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all these integers, we obtain 

(p— 1)/2 s t st 

(n.5) X •> = - u j ) + X = z” - X m 7 + X v j' 

7=1 7=1 7=1 7=1 7=1 

Subtracting (11.5) from (11.4), we find that 

(P- 1)/2 (p-l)/2 (p— 1)/2 5 

X! j<* - = X! pWpI - p s + 2 

7=1 7=1 7=1 7=1 

or, equivalently, because T (a, p ) = 

(P-D/2 s 

(« - 1) X j = pT z>) - pj + 2 X u i' 

7=1 7=1 

Reducing this last equation modulo 2, because a and p are odd, yields 
0 = T(a,p) — s (mod 2). 

Hence, 


T(a, p)=s (mod 2). 
To finish the proof, we note that from Gauss’s lemma, 


(;)- 


(-i y. 


Consequently, because (— l) s = (—Y} T ^ a,p \ it follows that 


6 ) 


= (-!)' 


Although Lemma 1 1 .3 is used primarily as a tool in the proof of the law of quadratic 
reciprocity, it can also be used to evaluate Legendre symbols. 


Example 11.11. To find using Lemma 1 1. 


3, we evaluate the sum 


X^'/H]= [7/11]+ [14/11]+ [21/11]+ [28/11]+ [35/11] 

7=1 

= 0+1+ 1 + 2 + 3 = 7. 

Hence, = (— l) 7 = — 1. 

Likewise, to find we note that 


X[H//7] = [H/7] + [22/7] + [33/7] = 1 + 3 + 4 = 8, 
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so that \ = ( — l) 8 = 1- < 

Before we present a proof of the law of quadratic reciprocity, we use an example to 
illustrate the method of proof. 

Let p = l and q = 11. We consider pairs of integers (x , y) with 1 < x < (7 — l)/2 = 
3 and 1 < y < (11 — l)/2 = 5. There are 15 such pairs. We note that none of these pairs 
satisfies 1 Ijc = 7y, because the equality 1 lx = ly implies that 1 1 1 7y , so that either 1 1 1 7, 
which is absurd, or 1 1 1 y, which is impossible because 1 < y < 5. 

We divide these 15 pairs into two groups, depending on the relative sizes of 1 lx and 
ly, as shown in Figure 11.1. 



Figure 11.1 Counting lattice points to determine (tt)(t)- 

The pairs of integers (x, y) with 1 < x < 3, 1 < y < 5, and 1 lx > 7y are precisely 
those pairs satisfying 1 < x < 3 and 1 < y < 1 lx/7. For a fixed integer x with 1 < x < 3, 
there are [llx/7] allowable values of y. Hence, the total number of pairs satisfying 
l<x<3, l<y<5, and 1 lx > 7y is 
3 

£[ll//7] = [H/7] + [22/7] + [33/7] = 1 + 3 + 4 = 8; 

7 = 1 

these eight pairs are (1, 1), (2, 1), (2, 2), (2, 3), (3, 1), (3, 2), (3, 3), and (3, 4). 

The pairs of integers (x, y) with 1 < x < 3, 1 < y < 5, and 1 lx < 7y are precisely 
those pairs satisfying 1 < y < 5 and 1 < x < 7y/ll. For a fixed integer y with 1 < y < 5, 
there are [7y/ll] allowable values of x. Hence, the total number of pairs satisfying 
l<x<3, l<y<5, and 1 lx < 7y is 
5 

£[7/711] = [7/11] + [14/11] + [21/11] + [28/11] + [35/11] 

7 = 1 

= 0+ 1+ 1 + 2 + 3 = 7. 

These seven pairs are (1, 2), (1, 3), (1, 4), (1, 5), (2, 4), (2, 5), and (3, 5). 
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Consequently, we see that 

3 5 

~Y~ ' = 5 ■ 3 = 15 = 5^[ll;/7] + 11] =8 + 7. 

7=1 7=1 

Hence, 

(-i ) 1 r i -¥ = (-i)EU [nj/7]+ ZU [7j/n] 

= (_i)E, 3 =i [i y/ 7 ] ( _ 1) E3= 1 w/iu 

Because Lemma 11.3 tells us that ^y^ = (— 1)^7 =i [ 11;/7] and = (— 1)^7 =i [ 7;/11] , 
we see that = (-l) 2 ^'^. 

This establishes the special case of the law of quadratic reciprocity when p = l and 
<7 = 11 . 

We now prove the law of quadratic reciprocity, using the idea illustrated in the 
example. 

Proof. We consider pairs of integers (jc, y) with 1 < x < (p — l)/2 and 1 < y < (q — 
1) /2. There are such pairs. We divide these pairs into two groups, depending 

on the relative sizes of qx and py, as shown in Figure 1 1.2 



First, we note that qx ^ py for all these pairs. For if qx = py, then q \ py, which 
implies that q \ p or q \ y. However, because q and p are distinct primes, we know that 
q / p, and because 1 < y < (q - l)/2, we know that q / y. 

To enumerate the pairs of integers Qc, y) with 1 < x < (p — l)/2, 1 < y < {q — l)/2, 
and qx > py, we note that these pairs are precisely those where 1 < x < (p — l)/2 
and 1 < y < qx/p. For each fixed value of the integer jc, with 1 < jc < (p — l)/2, 
there are [qx/p] integers satisfying 1 < y < qx/p. Consequently, the total number of 
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pairs of integers (x, y ) with 1 < x < {p — l)/2, 1 < y < (q — l)/2, and qx > py is 

T.'ff'hqj/Pl 

We now consider the pairs of integers (x, y) with 1 < x < (p — l)/2, 1 < y < 
(q — l)/2, and qx < py. These pairs are precisely the pairs of integers (x, y) with 
1 < y < (q ~ l)/2 and 1 < x < py/q. Hence, for each fixed value of the integer y, 
where 1 < y < (q — l)/2, there are exactly [py/q] integers x satisfying 1 < x < py/q. 
This shows that the total number of pairs of integers (x, y) with 1 < x < (p - l)/2, 
1 < y < (q - l)/2, and^x < py is Y/,f~i )/2 [pj/ql 

Adding the numbers of pairs in these classes, and recalling that the total number of 
such pairs is we see that 


(p— 1)/2 (9-l)/2 

7=1 7=1 


P-1 

2 


Q ~ 1 
2 ’ 


or, using the notation of Lemma 1 1 .3, 


T(q. p ) + T(p, q) = B—± ■ S-J-. 

Hence, 

^_ V) T(q,p)+T(p l q) = £_i)T(q,p)(_ l yT(p,q) _ 

Lemma 11.3 tells us that (— 1 ) t( ~9,p) — and (-1 Hence 

This concludes the proof of the law of quadratic reciprocity. ■ 

The law of quadratic reciprocity has many applications. One use is to prove the validity 
of the following primality test for Fermat numbers. 


Theorem 1 1.9. Pepin ’s Test. The Fermat number F m = 2 2 ” 1 + 1 is prime if and only if 

3 (F m — l)/2__ 1(modF j 

Proof. We will first show that F m is prime if the congruence in the statement of the 
theorem holds. Assume that 


3 (f »-i )/ 2 = -1 (mod F m ). 

Then, by squaring both sides, we obtain 

3 F ”- 1 = 1 (mod F m ). 

Using this congruence, we see that if p is a prime dividing F m , then 
3 Fm_1 = 1 


(mod p), 
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and hence, 

ordp3 | (f m — 1) = 2 2 "" . 

Consequently, ord^ must be a power of 2. However, 

ord p 3 X2 1 "-' = (F m - l)/2, 

because = — 1 (mod F m ). Hence, the only possibility is that ord^ = 2 lm = 

F m — 1. Because ord^ = F m — \ < p — 1 and p \ F m , we see that p = F m and, conse- 
quently, F m must be prime. 

Conversely, if F m = 2 2 " 1 + 1 is prime for m > 1 , then the law of quadratic reciprocity 
tells us that 

(lL6) GrMtMfH’ 

because F m = 1 (mod 4) and F m = 2 (mod 3). 

Now, using Euler’s criterion, we know that 

(1 1.7) = 3 (f “- 1)/2 (mod FJ. 

By the two equations involving > (1 1-6) and (1 1.7), we conclude that 
3 (F m -l)/2 _ _j (mod pj 

This finishes the proof. ■ 

Example 11.12. Let m = 2. Then F 2 = 2 22 + 1 = 17 and 

3 (^ 2 - 1)/2 = 3 8 = _ i ( mod 17). 

By Pepin’s test, we see that F 2 = 17 is prime. 

Let m = 5. Then F 5 = 2 25 + 1 = 2 32 + 1 = 4,294,967,297. We note that 
3 (F 5 -p /2 = 3 231 = 3 2, 146,483,648 = 10 , 324, 303 # -1 (mod 4,294,967,297). 
Hence, by Pepin’s test, we see that F 5 is composite. ◄ 


11.2 Exercises 

1. Evaluate each of the following Legendre symbols. 
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2. Using the law of quadratic reciprocity, show that if p is an odd prime, then 


(!)=!-! : 


3. Show that if p is an odd prime, then 


(fH 


if p = ±1 (mod 12); 
if p = ±5 (mod 12). 


if P = 
ifp = 


1 (mod 6); 

— 1 (mod 6). 


4. Find a congruence describing all primes for which 5 is a quadratic residue. 

5. Find a congruence describing all primes for which 7 is a quadratic residue. 

6. Show that there are infinitely many primes of the form 5k + 4. (Hint: Let n be a positive 
integer and form Q = 5(n!) 2 - 1. Show that Q has a prime divisor of the form 5k + 4 greater 
than n. To do this, use the law of quadratic reciprocity to show that if a prime p divides Q, 
then (§ ) = 1.) 

7. Use Pepin’s test to show that the following Fermat numbers are primes. 


a) F, = 5 


b) F 3 = 257 


c) F 4 = 65,537 


8. Use Pepin’s test to conclude that 3 is a primitive root of every Fermat prime. 

9. In this exercise, we give another proof of the law of quadratic reciprocity. Let p and q 
be distinct odd primes. Let R be the interior of the rectangle with vertices Q = (0, 0), 
A = (p/2, 0), B = (q/2, 0), and C = (p/2, q/2), as shown. 


*(< 7 / 2 , 0 ) 



O (0, 0) 


C(pl2,ql2) 


A ( p/2, 0) 


a) Show that the number of lattice points (points with integer coordinates) in R is ^ 

b) Show that there are no lattice points on the diagonal connecting O and C. 

c) Show that the number of lattice points in the triangle with vertices O, A, and C is 

l£' y2 u<i/pi 

d) Show that the number of lattice points in the triangle with vertices O, B, and C is 

e trvphi 

e) Conclude from parts (a), (b), (c), and (d) that 


(p- D/2 


(<?-l)/2 


p - l q - l 

LJV/Vi ~ ' 

j = 1 j = 1 

Derive the law of quadratic reciprocity using this equation and Lemma 1 1.3. 


E u*/rf+ E upm =^ - 9 -^. 
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Exercises 10 and 11 ask that you show that Euler’s form of the law of quadratic reciprocity 

(Theorem 11.8) and the form given in Theorem 1 1.7 are equivalent. 

10. Show that Euler’s form of the law of quadratic reciprocity, Theorem 11.8, implies the law of 
quadratic reciprocity as stated in Theorem 11.7. (Hint: Consider separately the cases when 
p = q (mod 4) and p # q (mod 4).) 

11. Show that the law of quadratic reciprocity as stated in Theorem 1 1 .7 implies Euler’s form of 
the law of quadratic reciprocity, Theorem 1 1.8. (Hint: First consider the cases when a = 2 
and when a is an odd prime. Then consider the case when a is composite.) 

12. Prove Euler’s form of the law of quadratic reciprocity, Theorem 1 1.8, using Gauss’s lemma. 
(Hint: Show that to find we need only find the parity of the number of integers k 
satisfying one of the inequalities (2 1 — \)(p/la) <k< t(p/a) for t = 1 , 2, . . . , 2u — 1 , 
where u = a/2 if a is even and u = (a — l)/2 if a is odd. Then, take p = 4 am + r with 
0 < r < 4a, and show that finding the parity of the number of integers k satisfying one of the 
inequalities listed is the same as finding the parity of the number of integers satisfying one 
of the inequalities (It — l)r/2a <k< tr/a for t = 1, 2, . . . , 2m — 1. Show that this number 
depends only on r. Then, repeat the last step of the argument with r replaced by 4a — r ). 


Exercise 1 3 asks that you fill in the details of a proof of the law of quadratic reciprocity originally 
developed by Eisenstein. This proof requires familiarity with the complex numbers. 


13. A complex number £ is an nth root of unity, where n is a positive integer, if = 1. If n is the 

least positive integer for which £” = 1, then £ is called a primitive nth root of unity. Recall 

that e 2ni = 1. 

a) Show that is an nth root of unity if k is an integer with 0 < k < n — 1, which is 

primitive if and only if (k, n) = 1. 

b) Show that if £ is an nth root of unity and m = l (mod n), then = f*. Furthermore, 
show that if £ is a primitive nth root of unity and = £ £ , then m = t (mod n). 

c) Define f(z) = e 2jliz - e~ 2lliz = 2 i sin(2jr z). Show that f(z + 1) = f(z) and f(-z) = 
—f(z), and that the only real zeros of f(z) are the numbers n/2, where n is an integer. 

d) Show that ifn is a positive integer, then x n — y n = Y\k2o(^ kx ~ £ _fc y), where £ = e 2ni ^ n . 

e) Show that if n is an odd positive integer and f(z) is as defined in part (c), then 


f(nz ) 
f(z) 


(n l)/ 2 , s , , 

U'H) 'HI 


f) Show that if p is an odd prime and a is an integer not divisible by p, then 


[p-m /e x / \ (p— 1)/2 / . x 

n '(!)-© D/O- 


g) Prove the law of quadratic reciprocity using parts (e) and (f), starting with 

(P- D/2 /D x , x (p-l)/2 / . 

(Hint: Use part (e) to obtain a formula for f(jf) //(^).) 
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14 . Suppose that p is an odd prime with = — 1, where n = k2 m + 1 with k < 2 m for some 

integers k and m. Show that n is prime if and only if 2 = — 1 (mod n). (Hint: Use 
Proth’s theorem from Section 9.5 for the “only if’ part, and Euler’s criterion and the law of 
quadratic reciprocity for the “if’ part.) 

15 . The integer p = l + 8 - 3- 5- 7- ll-13-17-19-23= 892,371,481 is prime (as the reader 

can verify using computational software). Show that for all primes q with q < 23, = 1. 

Conclude that there is no quadratic nonresidue of p less than 29 and that p has no primitive 
root less than 29. (This fact is a particular case of the result established in the following 
exercise.) 

16 . In this exercise, we will show that given any integer M, there exist infinitely many primes p 
such that M <r p < p — M, where r p is the least primitive root modulo p. 

a) Let qi = 2, q 2 = 3, = 5, . . . , q n be all the primes not exceeding M. Using Dirichlet’s 

theorem on primes in arithmetic progressions, there is a prime p= 1 + 8^2 • • • <1 n r , 
where r is a positive integer. Show that = h = h and that = 1 for 
i = 2, 3, . . . , n. 

b) Deduce that all integers t + kp with — M<t + kp<M, where t is an arbitrarily chosen 
integer, are quadratic residues modulo p and hence not primitive roots modulo p. Show 
that this implies the result of interest. 

* 17 . New proofs of the law of quadratic reciprocity are found surprisingly often. In this exercise, 
we fill in the steps of a proof discovered by Kim [Ki04], the 221st proof of quadratic 
reciprocity according to Lemmermeyer as of early 2010. To set up the proof, let p and q 
be distinct odd primes and R be the set of integers a such that 1 < a < and (a, pq) = 1, 
let S be the set of integers a with 1 < a < and (a, p) = 1, and let T be the set of integers 
q • 1, q ■ 2, . . . , q • Finally, let A = J"[ a. 

aeR 

a) Show that T is a subset of S and that R = S — T. 

b) Use part (a) and Euler’s criterion to show that A = (— 1 ) V (mod p). 

c) Show that A = (— 1)^“ (mod q) by switching the roles of p and q in parts (a) and 
(b). 

d) Use parts (b) and (c) to show that (-1)^ = (- 1 )^ if and only if A = ±1 

(mod pq). 

e) Show that A = 1 or — 1 (mod pq) if and only if p = q = 1 (mod 4). 

(Hint: First, show that A = ± J"[ a (mod pq), where U = [a e R\a 2 = ±1 (mod pq)} by pair- 

fl€t/ 

ing together elements of R that have either 1 or — 1 as their product. Then, consider the solutions 
of each of the congruences a 2 = 1 (mod pq) and a 2 = - 1 (mod pq).) 

f ) Conclude from parts (d) and (e) that (— 1) ^ = (— 1) *5“ if and only if p = q = 1 

(mod 4). Deduce the law of quadratic reciprocity from this congruence. 

Computations and Explorations 

1. Use Pepin’s test to show that the Fermat numbers F 6 , F 1 , and F 8 are all composite. Can you 
go further? 
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Programming Projects 

1. Evaluate Legendre symbols, using the law of quadratic reciprocity. 

2. Given a positive integer n, determine whether the nth Fermat number F n is prime, using 
Pepin’s test. 


1 1 .3 The Jacobi Symbol 

In this section, we define the Jacobi symbol, named after the German mathematician 
( Carl Jacobi, who introduced it. The Jacobi symbol is a generalization of the Legendre 
symbol studied in the previous two sections. Jacobi symbols enjoy a reciprocity law 
identical to law of quadratic reciprocity, but which holds for all pairs of relatively prime 
odd integers. This reciprocity law reduces to the law of quadratic reciprocity for all pairs 
of distinct odd primes. We will also see the reciprocity law for Jacobi symbols can be 
used to efficiently evaluate Legendre symbols, unlike the law of quadratic reciprocity. 
Moreover, Jacobi symbols are also used to define another type of pseudoprimes, namely, 
Euler pseudoprimes, which are discussed in Section 11.4. 


Definition. Let n be an odd positive integer with prime factorization n = ■ Pm 

and let a be an integer relatively prime to n. Then, the Jacobi symbol (j[) is defined by 





where the symbols on the right-hand side of the equality are Legendre symbols. 


When {a, n) = 1, the Jacobi symbol (^) = ±1, as each Legendre symbol in the definition 
is ±1. When (a, n) £ 1, we have (j[) = 0. To see this, note that if (a, n ) ^ 1, there must 
be a prime p dividing both a and n. This implies that the Legendre symbol which 
equals 0, occurs in the definition of (j[). 


Example 11.13. From the definition of the Jacobi symbol, we see that 


CARL GUSTAV JACOB JACOBI (1804-1851) was bom into a well-to-do 
German banking family. Jacobi received an excellent early education at home. 
He studied at the University of Berlin, mastered mathematics through the texts 
ofEuler, and obtained his doctorate in 1825. In 1826, he became a lecturer at the 
University of Konigsbeig; he was appointed a professor there in 1831. Besides 
his work in number theory, Jacobi made important contributions to analysis, 
geometry, and mechanics. He was also interested in the history of mathematics, 
and was a catalyst in the publication of the collected works ofEuler, a job not 
yet completed although it was begun more than 125 years ago! 
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and 


aMAMi)’©-'-'*-'’-' 

X”)-©GXS) 



(-d 2 i 2 (-i) = -i. 


When n is prime, the Jacobi symbol is the same as the Legendre symbol. However, 
when n is composite, the value of the Jacobi symbol (^) does not tell us whether the 
congruence x 2 = a (mod n) has solutions. We do know that if the congruence x 2 = a 
(mod n) has solutions, then (^) = 1. To see this, note that if p is a prime divisor of n and 
if x 2 = a (mod n) has solutions, then the congruence x 2 = a (mod p) also has solutions. 
Thus, = 1. Consequently, (^) = ]""[J = i J = 1, where the prime factorization of 
n is n = Pi P 2 • • ■ Pm - To see that it is possible that (^) = 1 when there are no solutions 
to x 2 = a (mod n), let a = 2 and n = 15. Note that = (-1)(-1) = 1. 

However, there are no solutions to x 2 = 2 (mod 15), because the congruences x 2 = 2 
(mod 3) and x 2 = 2 (mod 5) have no solutions. 


Properties of Jacobi Symbols 

We now show that the Jacobi symbol enjoys some properties similar to those of the 
Legendre symbol. 


Theorem 11.10. Let n be an odd positive integer and let a and b be integers relatively 
prime to n. Then 

(i) if a = b (mod n), then (|) = (|) ; 

(«) (* )-(!)(*); 

(iii) (^1) = (_l)(«-l)/2; 

(iv) (2) = (-l)<" 2 -»' 8 . 

Proof. In the proof of this theorem, we use the prime factorization n = p\ l P2 • • • Pm- 
Proof of (i). We know that if p is a prime dividing n, then a = b (mod p). Hence, by 


Theorem 11.4 (i), we have ( — ) 


( — I . Consequently, we see that 


©-fe)W ■fer-amr -©"-e)' 


Proof of (ii). By Theorem 11.4 (ii), we know that f° r * = 

1, 2, 3, . . . , m. Hence, 
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(?)-©’©'■ -er 



Proof of (Hi). Theorem 11.5 tells us that if p is prime, then = (-l) (p 1)/2 . 
Consequently, 


- (_ 1 yi(Pi-l)/2+t 2 (p 2 -l)/2+...+t m (p m -l)/2' 


Using the prime factorization of n, we see that 

n = (1+ ( Pl - l)) f i(l + (p 2 - I))'* • • • (1 + ( Pm - 1))V 
Because p t — 1 is even, it follows that 

(1 + ( Pi - 1 ))'«' = 1 + ti(Pi - 1) (mod 4) 
and 


(1 + ti ( Pi - 1))(1 + tj( Pj - 1)) = 1 + U( Pi - 1) + tj( Pj - 1) (mod 4). 
Therefore, 


n = 1 + h(pi - 1) + t 2 (p 2 ~ 1) H \-t m (P m - 1) ( mod 4), 


which implies that 

(n - l)/2 = t x (pi - l)/2 + t 2 (p 2 - l)/2 H f t m (p m - l)/2 (mod 2). 

Combining this congruence for (n — l)/2 with the expression for ("jf) shows that 

Proof of (iv). By Theorem 11.6, if p is prime, then (^J = (— l)(n 2_1 )/8_ Hence, 


/2\ = m" ( aV 2 . . .( J_V' 

\«/ \Pl) \P2/ \Pm / 


( _ 1) h(p\~ l)/8+r 2 (p|- D/8+- ■ ■ ■ ■ +t m (p 2 m - 1)/8 


As in the proof of (iii), we note that 

n 2 = (1 + (p\ - l))h(l + ( p l - 1))'2 • • - (1 + (p 2 m - !))**. 


Because pf — 1 = 0 (mod 8) for i = 1, 2, . . . , m, we see that 

(1 + (p] - I))'* = 1 + t t (pf - 1) (mod 64) 
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(1 + ti(pf - 1))(1 + tj{p] - 1)) = 1 + t^p] - 1) + tj{p) - 1) (mod 64). 

Hence, 

n 2 = 1 + h (p\ - 1) + t 2 (pj - 1) 4 1- t m (P 2 m ~ 1) (mod 64), 

which implies that 

(n 2 - l)/8 = t,(pj - l)/8 + < 2 (p 2 - l)/8 + • • • + Upl - l)/8 (mod 8). 
Combining this congruence for in 2 — l)/8 with the expression for (^) tells us that 

(f) = (-l)(» 2 -«/s. 


The Reciprocity Law for Jacobi Symbols 

We now demonstrate that the reciprocity law holds for the Jacobi symbol as well as the 
Legendre symbol. 


Theorem 11.11. The Reciprocity Law for Jacobi Symbols. Let n and m be relatively 
prime odd positive integers greater than 1. Then 



(- 1) 2 ^-^. 


Proof. Let the prime factorizations of m and n be m = p a fp 2 • • • Ps s and n = q\ l q^ • • • 
q^ r . We see that 


and 


Thus, 


e)-n©‘-Dfler 

©-flfer-soter 


By the law of quadratic reciprocity, we know that 
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Hence, 


(ii. 8 ) = n f[(-i)“'(" 2 ‘M 5 ^) = ( _i) E '-' X^). 

We note that 


As we demonstrated in the proof of Theorem 1 1. 10 (iii), 

g a '(^) s ^ (mod2) 


X>( a 

Therefore, by equations (1 1.8) and (1 1.9), we can conclude that 


Thus, 

(11.9) 


(mod 2). 


Evaluating Legendre and Jacobi Symbols 

When we use quadratic reciprocity to evaluate Legendre symbols, we often have to 
factor one or more Legendre symbols before we can exchange the numerators and 
denominators of the Legendre symbols that arise. This is illustrated in Example 11.10 
where we calculated As there is no efficient algorithm known for factoring 

integers, evaluating Legendre symbols by successive use of quadratic reciprocity is not 
efficient. As Jacobi realized, we can avoid this problem when we use Jacobi sybmols and 
their reciprocity law to compute Legendre symbols. Compare the following example to 
Example 1 1.10 to see the difference. 


Example 11.14. Successively using the reciprocity law for Jacobi symbols, Theorem 
11.11, and the properties of Jacobi symbols in Theorem 1 1.10, we find that 


/ 713 \ _ / 1009\ _ /296\ _ / 37 \ _ /713\ 

\ 1009 / “ v 713 ) ~ V713/ “ \713/ \713/ “ V 37 ) 

-mm-®-®- 
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We have used the reciprocity law for Jacobi symbols to establish the first, fourth, and 
seventh equalities. We used part (i) of Theorem 11.10 to obtain the second, fifth, and 
eighth equalities, part (ii) to obtain the third and sixth equalities, and part (iv) to obtain 
the fourth, sixth, and ninth equalities. ◄ 

We now use Theorem 1 1. 10 and the reciprocity law for Jacobi symbols to develop 
an efficient algorithm for computing Jacobi symbols, and consequently, for computing 
Legendre symbols. Let a and b be relatively prime positive integers with a > b. Let 
Ro = a and Ri = b. Using the division algorithm and factoring out the highest power of 
2 dividing the remainder, we obtain 

*o = R i<h + 2 S1 * 2 , 

where ^ is a nonnegative integer and R 2 is an odd positive integer less than R^ When 
we successively use the division algorithm, and factor out the highest power of 2 that 
divides remainders, we obtain 

Ri = R 2 q 2 + 2 S2 R 3 
r 2 = R 3<l3 + 2 S3 R 4 


R n- 3 = R n-2<ln-2 + 2 Sn ~ 2 R n _ i 
R n- 2 = R n-l<ln-\ + 2? n ~ x • 1, 

where Sj is a nonnegative integer and Rj is an odd positive integer less than Rj-\ for 
j = 2, 3, . . . , n — 1. Note that the number of divisions required to reach the final equation 
does not exceed the number of divisions required to find the greatest common divisor of 
a and b using the Euclidean algorithm. 

We illustrate this sequence of equations with the following example. 

Example 11.15. Let a = 401 and Z? = 111. Then 

401= 111-3 + 2 2 - 17 
111= 17 -6 + 2° -9 

17 = 9 • 1 + 2 3 • 1. m 

Using the sequence of equations that we have described, together with the properties 
of the Jacobi symbol, we prove the following theorem, which gives an algorithm for 
evaluating Jacobi symbols. 

Theorem 11.12. Let a and b be positive integers with a > b. Then 



where the integers Rj and Sj, j — 1, 2, . . . , n — 1, are as previously described. 
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Proof. From the first equation with (i), (ii), and (iv) of Theorem 11.10, we have 

Using Theorem 11.11, the reciprocity law for Jacobi symbols, we have 

so that 

Similarly, using the subsequent divisions, we find that 



Rj-l R 

= (-1)T— 



for j = 2, 3, . . . , n — 1. When we combine all the equalities, we obtain the desired 
expression for (|). ■ 

The following example illustrates the use of Theorem 11.12. 


Example 11.16. To evaluate ( yyj) » we use the sequence of divisions in Example 11.15 
and Theorem 1 1.12. This tells us that 

i.iIl^ + 0.1Z^ + 3.^pI + iIl=I.12 


(SO- 


= (-i r 


= i. 


The following corollary describes the computational complexity of the algorithm 
for evaluating Jacobi symbols given in Theorem 11.12. 


Corollary 11.12.1. Let a and b be relatively prime positive integers with a > b. Then 
the Jacobi symbol (|) can be evaluated using 0((log 2 b) 3 ) bit operations. 

Proof. To find (|) using Theorem 11.12, we perform a sequence of O (log 2 b) divisions. 
To see this, note that the number of divisions does not exceed the number of divisions 
needed to find (a, b) using the Euclidean algorithm. Thus, by Lame’s theorem, we know 
that O (log 2 b) divisions are needed. Each division can be done using 0((log 2 b) 2 ) bit 
operations. Each pair of integers Rj and sj can be found using O (log 2 b) bit operations 
once the appropriate division has been carried out. 

Consequently, 0((log 2 b) 3 ) bit operations are required to find the integers Rj, 
sj, j = 1, 2, . . . , n — 1, from a and b. Finally, to evaluate the exponent of —1 in 
the expression for (|) in Theorem 11.12, we use the last three bits in the binary 
expansions of Rj, j = 1, 2, . . . , n — 1, and the last bit in the binary expansions of 
Sj, j = 1, 2, . . . , n — 1. Therefore, we use O (log 2 b) additional bit operations to find 
(|). Because 0((log 2 b) 3 ) + O (log 2 b) = 0((log 2 b) 3 ), the corollary holds. ■ 
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We can improve this corollary if we use more care when estimating the number of bit 
operations used by divisions. In particular, we can show that 0((log 2 b) 2 ) bit operations 
suffice for evaluating (|). We leave this as an exercise. 

11.3 Exercises 

1. Evaluate each of the following Jacobi symbols. 

a) (A) c)(Hk) e)(H) 

b) («r) «G») 0(Sffi) 

2. For which positive integers n that are relatively prime to 15 does the Jacobi symbol 
equal 1? 

3. For which positive integers n that are relatively prime to 30 does the Jacobi symbol 
equal 1? 

Suppose that n = pq, where p and q are primes. We say that the integer a is a pseudo-square 
modulo n if a is a quadratic nonresidue of n, but (|) = 1. 

4. Show that if a is a pseudo-square modulo n, then = — 1. 

5. Find all the pseudo-squares modulo 21. 

6. Find all the pseudo-squares modulo 35. 

7. Find all the pseudo-squares modulo 143. 

8. Let a and b be relatively prime integers such that b is odd and positive and a = (— l) s 2 f ^, 
where q is odd. Show that 

9. Let n be an odd square-free positive integer. Show that there is an integer a such that (a, n) = 1 
and (|) = -1. 

10. Let n be an odd square-free positive integer. 

a) Show that ) = 0, where the sum is taken over all k in a reduced set of residues 
modulo n. (Hint: Use Exercise 9.) 

b) From part (a), show that the number of integers in a reduced set of residues modulo n such 
that = 1 is equal to the number with = — 1. 

* 11. Let a and b = r 0 be relatively prime odd positive integers such that 
a = r 0 <?i + sfr 
r 0 = r \<l2 + e 2 r 2 


r n -\ = r n -iq n -i + £ n r r 
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where q t is a nonnegative even integer, s t = ±1, r, is a positive integer with r, < r t _ h for 
i = 1, 2, ... , rij,mdr n = 1. These equations are obtained by successively using the modified 
division algorithm given in Exercise 18 of Section 1.5. 
a) Show that Jacobi symbol (|) is given by 



b) Show that the Jacobi symbol (f ) is given by 

(!)-<-»'■ 

where T is the number of integers i, 1 < i < n, with r i _ l = s i r i = 3 (mod 4). 

* 12. Show that if a and b are odd integers and (a, b) = 1, then the following reciprocity law holds 
for the Jacobi symbol: 


-(-1)W ifa<0and6<0; 
\ I h I / \ I ° I / otherwise. 


In Exercises 13-19, we deal with the Kronecker symbol (named after Leopold Kronecker ), a 
generalization of the Jacobi symbol and which is defined even when the integer n in the symbol 
(|) is even. Let a be a positive integer that is not a perfect square such that a = 0 or 1 (mod 4). 
We define the Kronecker symbol by setting: 


2 = 1 (mod 8); 
= 5 (mod 8), 


_ I 1 if a = 1 ( 

\2j "1-1 if « = 5 ( 

^ = the Legendre symbol if p is an odd prime such that p X a, and 

( — ) = FT I — ] if (a, n) = 1 and n = FT-, Pi is the prime factorization of n. 
“V Pj) 1 


13. Evaluate each of the following Kronecker symbols. 


a) (A) « (#) c, (*) 


For Exercises 14-19, let a be a positive integer that is not a perfect square such that a = 0 or 1 
(mod 4). 

14. Show that if 2 /a, where the symbol on the right is a Jacobi symbol. 

15. Show that if«j and n 2 are positive integers and if (aj, n h n 2 ) = l,then 

* 16. Show that if n is a positive integer relatively prime to a and if a is odd, then 
whereas if a is even and a = 2 s t, where t is odd, then 
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* 17. Show that if n x and n 2 are positive integers greater than 1 relatively prime to a and n x = n 2 

(mod M), then (^) = (^)- 

* 18. Show that if | a |> 3, then there exists a positive integer n such that (|) = — 1. 

* 19. Show that if a ^ 0. then ( ra pi) = { _\ J 

20. Show that if a and b are relatively prime integers with a < b, then the Jacobi symbol (|) can 
be evaluated using 0((log 2 b) 2 ) bit operations. 


LEOPOLD KRONECKER (1823-1891) was bom in Liegnitz, Prussia, to 
prosperous Jewish parents. His father was a successful businessman and his 
mother came from a wealthy family. As a child, Kronecker was taught by 
private tutors. He later entered the Liegnitz Gymnasium, where he was taught 
mathematics by the number theorist Kummer. Kronecker’ s mathematical talents 
were quickly recognized by Kummer, who encouraged Kronecker to engage in 
mathematics research. In 1841, Kronecker entered Berlin University, where he 
studied mathematics, astronomy, meteorology, chemistry, and philosophy. In 
1845, Kronecker wrote his doctoral thesis on algebraic number theory; his supervisor was Dirichlet. 

Kronecker could have begun a promising academic career, but instead he returned to Liegnitz 
to help manage the b anking business of an uncle. In 1848, Kronecker married a daughter of this 
uncle. During his time back in Liegnitz, Kronecker continued his research for his own enjoyment. In 
1855, when his family obligations eased, Kronecker returned to Berlin. He was eager to participate 
in the mathematical life of the university. Not holding a university post, he did not teach any classes. 
However, he was extremely active in research, and he published extensively in number theory, elliptic 
functions and algebra, and their interconnections. In 1860, Kronecker was elected to the Berlin 
Academy, giving him the right to lecture at Berlin University. He took advantage of this opportunity 
and lectured on number theory and other mathematical topics. Kronecker’s lectures were considered 
very demanding but were also considered to be stimulating. Unfortunately, he was not a popular 
teacher with average students; most of these dropped out of his courses by the end of the semester. 

Kronecker was a strong believer in constructive mathematics, thinking that mathematics should 
be concerned only with finite numbers and with a finite number of operations. He doubted the validity 
of nonconstructive existence proofs and was opposed to objects defined nonconstructively, such 
as irrational numbers. He did not believe that transcendental numbers could exist He is famous 
for his statement: “God created the integers, all else is the work of man .” Kronecker’s belief in 
constructive mathematics was not shared by most of his colleagues, although he was not the only 
prominent mathematician to hold such beliefs. Many mathematicians found it difficult to get along 
with Kronecker, especially because he was prone to fallings out over mathematical disagreements. 
Also, Kronecker was self-conscious about his short height, reacting badly even to good-natured 
references to his short stature. 
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Computations and Explorations 


1. Find the value of the Legendre symbol ( 2 355 15 1 ) • 

2. Find the value of the following Jacobi symbols: ( 65 sfg 7 9] ) , ( 54(^^7333 ), an ^ 

( 320,001 \ 

^11,111, 111,111,111 y 

Programming Projects 

1. Evaluate Jacobi symbols using the method of Theorem 11.12. 

2. Evaluate Jacobi symbols using Exercises 8 and 11. 

3. Evaluate Kronecker symbols (as defined in the preamble to Exercise 13). 


1 1 .4 Euler Pseudoprimes 


Let p be an odd prime number and let b be an integer not divisible by p. By Euler’s 
criterion, we know that 




(mod p). 


Hence, if we wish to test the odd positive integer n for primality, we can take an integer 
b, with ( b , n ) = 1, and determine whether 


(,<»— D/2 S 0 (mod*), 

where the symbol on the right-hand side of the congruence is the Jacobi symbol. If we 
find that this congruence fails, then n is composite. 


Example 11.17. Let n = 341 and b = 2. We calculate that 2 170 = 1 (mod 341). Because 
341 = —3 (mod 8), using Theorem 11.10 (iv), we see that (331) = — 1. Consequently, 
2 170 ^ (331) ( m °d 341). This demonstrates that 341 is not prime. ◄ 


Thus, we can define a type of pseudoprime based on Euler’s criterion. 


Definition. An odd, composite, positive integer n that satisfies the congruence 
b (n- 1)/2_^ (mod n), 

where b is a positive integer, is called an Euler pseudoprime to the base b. 


An Euler pseudoprime to the base b is a composite integer that masquerades as a 
prime by satisfying the congruence given in the definition. 
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Example 11.18. Let n = 1105 and b = 2. We calculate that 2 552 = 1 (mod 1105). 
Because 1105 = 1 (mod 8), we see that = 1- Hence, 2 552 = (mod 1105). 

Because 1 105 is composite, it is an Euler pseudoprime to the base 2. ◄ 

The following theorem shows that every Euler pseudoprime to the base b is a 
pseudoprime to this base. 

Theorem 11.13. If n is an Euler pseudoprime to the base b, then n is a pseudoprime 
to the base b. 

Proof. If n is an Euler pseudoprime to the base b, then 
fc ( "-i)/2=^ (mod n). 

Hence, by squaring both sides of this congruence, we find that 
(*<"-l)/ 2 )2 = (mot U). 

Because = ±1, we see that b n ~ l = 1 (mod n), which means that n is a pseudoprime 
to the base b. m 

Not every pseudoprime is an Euler pseudoprime. For example, the integer 341 is 
not an Euler pseudoprime to the base 2, as we have shown, but is a pseudoprime to this 
base. 

We know that every Euler pseudoprime is a pseudoprime. Next, we show that every 
strong pseudoprime is an Euler pseudoprime. 

Theorem 11.14. If n is a strong pseudoprime to the base b, then n is an Euler pseudo- 
prime to this base. 

Proof Let n be a strong pseudoprime to the base b. Then, if n — 1 = 2 s t, where t is 
odd, either b { = 1 (mod n) or b rt = — 1 (mod n), where 0 < r < s — 1. Let n = n^Li P? 
be the prime-power factorization of n. 

First, consider the case where b* = 1 (mod n). Let p be a prime divisor of n. Because 
b x = 1 (mod p ), we know that ord p b \ t. Because t is odd, we see that ord p b is also 
odd. Hence, ord p b \ (p — l)/2, because ord p b is an odd divisor of the even integer 
0 (p) = p — 1. Therefore, 

_ i ( mo( j p ) 

Consequently, by Euler’s criterion, we have = 1. 

To compute the Jacobi symbol , we note that = 1 for all primes p dividing 
n. Hence, 
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= 1 . 


Because b* = 1 (mod n), we know that b^ n l ^ 2 = (b 1 ) 2 ' 1 — 1 (mod n ). Therefore, we 
have 


(,(»- 0/2 s ^ s l (modB ). 

We conclude that n is an Euler pseudoprime to the base b. 
Next, we consider the case where 

b Tt = — 1 (mod n) 


for some r with 0 < r < s — 1. If p is a prime divisor of n, then 
b 2 ' 1 = -1 (mod p). 

Squaring both sides of this congruence, we obtain 

b 2r+lt — 1 (mod p ), 

which implies that ord p b \ 2 r+l t, and from the previous congruence we know that 
ord p b /2 r t. Hence, 


ord p b = 2 r+1 c, 

where c is an odd integer. Because ord p b \ (p — 1) and 2 r+1 1 ord p b, it follows that 
2 r+1 1 (p — 1). Therefore, we have p = 2 r+l d + 1, where d is an integer. Because 

b (ord pby2 - (mod 


we have 


= yip- 1)/2 = h (ord p b/2)(( P -l)/ord p b) 

= = (_l)(/ , - 1 )/(2 r+1 c) ^ mod p). 

Because c is odd, we know that (— l) c = — 1. Hence, 

(11.10) 0 = (-i)<;>-W2' +l = (_!)«, 

recalling that d — (p — l)/2 r+1 . Because each prime p t dividing n is of the form p t = 
2 r+1 di + 1, it follows that 
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m 

n = Y\p°‘ 

i = 1 
m 

= Y\(2 r+l di + Y) a ‘ 

i= 1 

= f](l + 2 r+1 ai di) 

i= 1 

= 1 + 2 r+1 ^ (mod 2 2r+2 ). 
i=l 

Therefore, 

r2 s_1 = in - l)/2 = 2 r £ (mod 2 r+1 ). 

M 

This congmence implies that 

t 2 s-i- r _ ^ (mod 2 ) 

and 

(11.11) b (n ~ 1)/2 = (b rt ) 2S ~ 1 ~ r = (-l) 2 "' 1 '" = (-l)Eli^ (mod n). 

On the other hand, from (1 1. 10), we have 

© = n (^r = rW** = n<-»* = 

Therefore, combining the preceding equation with (1 1.1 1), we see that 

(mod n). 

Consequently, n is an Euler pseudoprime to the base b. m 

Although every strong pseudoprime to the base b is an Euler pseudoprime to this 
base, note that not every Euler pseudoprime to the base b is a strong pseudoprime to the 
base b, as the following example shows. 

Example 11.19. We have shown in Example 11.18 that the integer 1105 is an Euler 
pseudoprime to the base 2. However, 1105 is not a strong pseudoprime to the base 2, 
because 

2 (H05-l)/2 = 2 552 ^ 1(modll05); 

whereas 

2 (1105-l)/2 2 _ 2 276 = 7gl ^ ±1 ( mo d 1105). 
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Although an Euler pseudoprime to the base b is not always a strong pseudoprime to 
this base, when certain additional conditions are met, an Euler pseudoprime to the base 
b is, in fact, a strong pseudoprime to this base. The following two theorems give results 
of this kind. 


Theorem 11.15. If n = 3 (mod 4) and n is an Euler pseudoprime to the base b, then n 
is a strong pseudoprime to the base b. 

Proof. From the congruence n = 3 (mod 4), we know that n — 1 = 2 • t, where t = 
( n — l)/2 is odd. Because n is an Euler pseudoprime to the base b, it follows that 

b l =b (n ~ l)/2 =(^j (mod n). 

Because = ±1, we know that either b* = 1 (mod n) or b* = -1 (mod n). 

Hence, one of the congruences in the definition of a strong pseudoprime to the base 
b must hold. Consequently, n is a strong pseudoprime to the base b. m 


Theorem 11.16. If n is an Euler pseudoprime to the base b and j = — 1, then n is a 

strong pseudoprime to the base b. 

Proof. We write n — 1 = 2 s t, where t is odd and s is a positive integer. Because n is an 
Euler pseudoprime to the base b, we have 

(mod n). 


But because 


= — 1, we see that 


b t2$ 1 = -1 (mod n). 

This is one of the congruences in the definition of a strong pseudoprime to the base b. 
Because n is composite, it is a strong pseudoprime to the base b. m 

Using the concept of Euler pseudoprimality, we will develop a probabilistic primal- 
ity test. This test was first suggested by Solovay and Strassen [SoSt 77]. 

Before presenting the test, we give some helpful lemmas. 


Lemma 11.4. If n is an odd positive integer that is not a perfect square, then there is at 
least one integer b with 1 < b < n, (b, n) = 1, and = — 1, where is the Jacobi 
symbol. 

Proof If n is prime, the existence of such an integer b is guaranteed by Theorem 11.1. 
If n is composite, because n is not a perfect square, we can write n = rs, where (r, s) = 1 
and r = p e , with p an odd prime and e an odd positive integer. 

Now let t be a quadratic nonresidue of the prime p\ such a t exists by Theorem 11.1. 
We use the Chinese remainder theorem to find an integer^ such that 1 <b <n, (b, n ) = 1, 
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and such that b satisfies the two congruences 

b = t (mod r) 
b = 1 (mod s). 

Then 

and (f) = 1. Because (*) = (f)(7), it follows that (*) = -1. 


Lemma 11.5. Let n be an odd composite integer. Then there is at least one integer b 
with 1 < b < n, (b, n) = 1, and 

b (n- D/2^^ ( mo dn). 

Proof. Assume, for all positive integers not exceeding n and relatively prime to n, that 

(11.12) fc (n “ 1)/2 = (^ (modn). 

Squaring both sides of this congruence tells us that 

b n ~ l = = (±1) 2 = 1 (mod n), 

if ( b , n ) = 1. Hence, n must be a Carmichael number. Therefore, by Theorem 9.24, we 
know that n = qiq 2 ■ ■ ■ q r , where q h q 2 , ■ ■ ■ , q r are distinct odd primes. 

We will now show that 

b(n~ l)/2 _ 1 ( mo( i n ) 

for all integers b with 1 < b < n and (b,ri) = 1. Suppose that b is an integer such that 
b (n - 1)/2 = -l(modn). 

We use the Chinese remainder theorem to find an integer a with 1 < a < n, (a, n) = 1, 
and 

a = b (mod q{) 
a = 1 (mod q 2 qi ■ ■ ■ Qr)- 

Then, we observe that 

(11.13) = ^(n- 1 )/ 2 = — 1 (mod ^1), 
whereas 

(11.14) a (n-1)/2 = 1 (mod q 2 q 3 • • • q r ). 

From congruences (11.13) and (11.14), we see that 

a (n-i)/2 ^ -i-i ( m od n), 
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contradicting congruence (11.12). Hence, we must have 

b (n- D/2 = 1 ( modn ) j 

for all b with 1 < b < n and (b, n) = 1. Consequently, from hypotheses ( 1 1 . 1 2), we know 
that 

which implies that = 1 for all b with 1 < b < n and (b, n ) = 1. However, Lemma 
1 1.4 tells us that this is impossible. Hence, the original assumption is false. There must 
be at least one integer b with 1 < b < n, (b, n) = 1, and 

bin- 1)/2 ^ (mod n). ■ 

We can now state and prove the theorem that is the basis of the probabilistic primality 

test. 

Theorem 11.17. Let n be an odd composite integer. Then the number of positive 
integers less than n and relatively prime to n that are bases to which n is an Euler 
pseudoprime does not exceed </>(n)/2. 

Proof. By Lemma 1 1.5, we know that there is an integer b with 1 < b < n, (b, n) = 1, 
and 

(11.15) b^- l) / 2 (modn). 

Now, letflj, a 2 , ... ,a m denote the integers satisfying 1 < aj < n, ( aj , n) = 1, and 

(11.16) af~ l)/2 = (modn), 

for j = 1, 2, . . . , m. 

Let r h r 2 , ... ,r m be the least positive residues of the integers ba h ba 2 , . . . , ba m 
modulo n. We note that the integers r } are distinct and that {r p n) = 1 for j = 
1, 2 , ... ,m. Furthermore, 

(11.17) rf~ l)/2 (modn); 

for, if it were true that 

r f- 

then we would have 

(bcij) (n ~ 1)/2 = ^ (modn), 
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which would imply that 

6 <»-l)/2 a (»-l)/2 3 ^^ (modn) , 

and because (11.16) holds, we would have 

*0-l>/2=^ (modn)> 

contradicting (11.15). 

Because aj, j = 1, 2, . . . , m, satisfies the congruence (11.16), whereas rj, j = 
1,2 , ,m, does not, as (1 1.17) shows, we know that these two sets of integers share 
no common elements. Hence, looking at the two sets together, we have a total of 2m 
distinct positive integers less than n and relatively prime to n. Because there are 4>(n) 
integers less than n that are relatively prime to n, we can conclude that 2m < (j)(n), so 
that m <<p(n)/2. This proves the theorem. ■ 

By Theorem 11.17, we see that if n is an odd composite integer, when an integer 
b is selected at random from the integers 1, 2, . . . , n — 1, the probability that n is an 
Euler pseudoprime to the base b is less than 1/2. This leads to the following probabilistic 
primality test. 

Theorem 11.18. The Solovay-Strassen Probabilistic Primality Test. Let n be a pos- 
itive integer. Select, at random, k integers b h b 2 , ■ ■ ■ , b k from the integers 1, 2, ... , 
n — 1. For each of these integers bj, j = 1, 2, ... , k, determine whether 

bf~ D/2= (mod n). 

If any of these congruences fails, then n is composite. If n is prime, then all these 
congruences hold. If n is composite, the probability that all k congruences hold is less 
than \/2 k . Therefore, if n passes this test when k is large, then n is “almost certainly 
prime.” 

Because every strong pseudoprime to the base b is an Euler pseudoprime to this base, 
more composite integers pass the Solovay-Strassen probabilistic primality test than the 
Rabin probabilistic primality test, although both require 0(k( log 2 n) 3 ) bit operations. 


11.4 Exercises 

1. Show that the integer 561 is an Euler pseudoprime to the base 2. 

2. Show that the integer 15,841 is an Euler pseudoprime to the base 2, a strong pseudoprime to 
the base 2, and a Carmichael number. 

3. Show that if n is an Euler pseudoprime to the bases a and b, then n is an Euler pseudoprime 
to the base ab. 

4. Show that if n is an Euler pseudoprime to the base b, then n is also an Euler pseudoprime to 
the base n—b. 
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5. Show that if n = 5 (mod 8) and n is an Euler pseudoprime to the base 2, then n is a strong 
pseudoprime to the base 2. 

6. Show that if n = 5 (mod 1 2) and n is an Euler pseudoprime to the base 3, then n is a strong 
pseudoprime to the base 3. 

7. Find a congruence condition for an Euler pseudoprime n to the base 5 that guarantees that n 
is a strong pseudoprime to the base 5. 

* * 8. Let the composite positive integer n have prime-power factorization n = p“ l p^ ■ ■ ■ p%”, 

where pj = 1 + 2 k iqj for ; = 1,2 m, where/:] < k 2 < • ■ • < k m , andwheren = 1 + 2 k q. 

Show that n is an Euler pseudoprime to exactly 

&n " V' 2 ’ Pi ~ D 

i = i 

different bases b with 1 < b < n, where 

1 2 if k\ = k\ 

1/2 if kj < k and aj is odd for some j; 

1 otherwise. 

9. For how many integers b,l<b< 561, is 561 an Euler pseudoprime to the base 6? 

10. For how many integers b, 1 < b < 1729, is 1729 an Euler pseudoprime to the base bl 

Computations and Explorations 

1. Find all Euler pseudoprimes to the base 2 less than 1 ,000,000. Do the same thing for the bases 
3,5,7, and 1 1 . Devise a primality test based on your results. 

2. Find 10 integers, each with between 50 and 60 decimal digits, that are “probably prime” 
because they pass more than 20 iterations of the Solovay-Strassen probabilistic primality 
test. 


Programming Projects 

1. Given an integer n and a positive integer b greater than 1, determine whether n passes the 
test for Euler pseudoprimes to the base b. 

2. Given an integer n, perform the Solovay-Strassen probabilistic primality test on n. 


1 1 .5 Zero- Knowledge Proofs 

Suppose that you want to convince another person that you have some important private 
information, without revealing this information. For example, you may want to convince 
someone that you l*iow the prime factorization of a 200-digit positive integer without 
telling them the prime factors. Or you may have a proof of an important theorem 
and you want to convince the mathematical community that you have such a proof 
without revealing it. In this section, we will discuss methods, commonly taiown as zero- 
knowledge or minimum-disclosure proofs, that can be used to convince someone that you 
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have certain private, verifiable information, without revealing it. Zero-knowledge proofs 
were invented in the mid-1980s. 

In a zero-knowledge proof, there are two parties, the prover, the person who has the 
secret information, and the verifier, who wants to be convinced that the prover has this 
secret information. When a zero-knowledge proof is used, the probability is extremely 
small that someone who does not have the information can successfully cheat the verifier 
by masquerading as the prover. Moreover, the verifier learns nothing, or almost nothing, 
about the information other than that the prover possesses it. In particular, the verifier 
cannot convince a third party that the verifier knows this information. 

Remark. Because zero-knowledge proofs supply the verifier with a small amount of in- 
formation, zero-knowledge proofs are more properly called minimum-disclosure proofs. 
Nevertheless, we will use the original terminology for such proofs. 

We will illustrate the use of zero-knowledge proofs by describing several examples 
of such proofs, each based on the ease of finding square roots modulo products of two 
primes compared with the difficulty of finding square roots when the two primes are not 
known. (See the end of Section 11.1 for a discussion of this topic.) 

Our first example presents a proposed scheme for a zero-knowledge proof that turned 
out to have a flaw making it unsuitable for this use. Nevertheless, we introduce this 
scheme as our first example because it illustrates the concept of zero-knowledge proofs 
and is relatively simple. Moreover, understanding why it fails to be a valid scheme for 
zero-knowledge proofs adds valuable insight (see Exercise 11). In this scheme, Paula, 
the prover, attempts to convince Vince, the verifier, that she knows the prime factors of 
n, where n is the product of two large primes p and q, without helping him find these 
two prime factors. 

When this scheme was originally devised, it was thought that someone who does 
not know p and q would be unable to find the square root of y modulo n in a reasonable 
amount of time, unlike Paula, who knows these primes. This turns out not to be the case, 
as Exercise 1 1 illustrates. 

The proposed scheme is based on iterating the following procedure. 

(i) Vince, who knows n, but not p and q, chooses an integer x at random. He 
computes y, the least nonnegative residue of x 4 modulo n, and sends this to 
Paula. 

(ii) When Paula receives y , she computes its square root modulo n . (We will explain 
how she can do this after describing the steps of the procedure.) This square 
root is the least positive residue of x 2 modulo n. She sends this integer to Vince. 

(iii) Vince checks Paula’s answer by finding the remainder of x 2 when it is divided 
by n. 

To see why Paula can find the least positive residue of x 2 modulo n in step (ii), note 
that because she knows p and q, she can easily find the four square roots of x 4 modulo 
n. Next, note that only one of the four square roots of x 4 modulo n is a quadratic residue 
modulo n (see Exercise 3). So, to find x 2 , she can select the correct square root of the 
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four square roots of x 4 modulo n by computing the value of the Legendre symbols of 
each of these square roots modulo p and modulo q. Note that someone who does not 
know p and q is unable to find the square root of y modulo n in a reasonable amount of 
time, unlike Paula, who knows these primes. 

We illustrate this procedure in the following example. 

Example 11.20. Suppose that Paula’s private information is her factorization of n = 
103 • 239 = 24,617. She can use the procedure just described to convince Vince that 
she knows the primes p = 103 and q = 239 without revealing them to him. (In practice, 
primes p and q with hundreds of digits would be used, rather than the small primes used 
in this example.) 

To illustrate the procedure, suppose that in step (i) Vince selects the integer 9134 at 
random. He computes the least positive residue of 9134 4 modulo 24,617, which equals 
20,682. He sends the integer 20,682 to Paula. 

In step (ii), Paula determines the integer x 2 using the congruences 

x 2 = ±2O,682 (103+1)/4 = ±20,682 26 = ±59 (mod 103) 
x 2 = ±20,682 (239+1)/4 = ±20,682 60 = ±75 (mod 239). 

(Note that we have used the fact that when p = q = 3 (mod 4), the solutions of x 2 = a 
(mod p) and x 2 = a (mod q) are x 2 = ±a (p+1)/4 (mod p) and x 2 = ±a (9+1)/4 (mod q), 
respectively.) 

Because x 2 is a quadratic residue modulo 24,627 = 103 • 239, we know that it also 
is a quadratic residue modulo 103 and 239. Computing Legendre symbols, we find that 
(lIs) = 1’ (w) = ( 335 ) = and (- 5 ^ = — 1. Therefore, Paula finds x 2 by 

solving the system x 2 = 59 (mod 103) and x 2 = 75 (mod 239). When she solves this 
system, she concludes that x 2 = 2943 (mod 24,617). 

In step (iii), Vince checks Paula’s answer by noting that x 2 = 9134 2 = 2943 (mod 
24,617). ◄ 

We now describe a method to verify the identity of the prover, based on zero- 
knowledge techniques, invented by Shamir in 1985. We again suppose that n = pq, 
where p and q are two large primes both congruent to 3 modulo 4. Let I be a positive 
integer that represents some particular information, such as a personal identification 
number. The prover selects a small positive integer c, which has the property that the 
integer v obtained by concatenating I with c (the number obtained by writing the digits 
of / followed by the digits of c ) is a quadratic residue modulo n. (The number c can be 
found by trial and error, with probability close to 1/2.) The prover can easily find u, a 
square root of v modulo n. 

The prover convinces the verifier that she knows the primes p and q using an 
interactive proof. Each cycle of the proof is based on the following steps. 
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(i) The prover, Paula, chooses a random number r, and sends to the verifier a 
message containing two values: x, where x=r 2 (mod n), 0 < x < n, and y, 
where y = vx (mod n), 0 < y < n. Here, as usual, x is an inverse of x modulo n. 

(ii) The verifier, Vince, checks that xy = v (mod n ) and chooses, at random, a bit 
b, which he sends to the prover. 

(iii) If the bit b sent by Vince is 0, Paula sends r to Vince. Otherwise, if the bit b is 
1, Paula sends the least positive residue of u 7 modulo n, where r is an inverse 
of r modulo n. 

(iv) Vince computes the square of what Paula has sent. If Vince sent a 0, he checks 
that this square is x, that is, that r 2 = x (mod n ). If he sent a 1, he checks that 
this square is y, that is, that s 2 = y (mod n). 

This procedure is also based on the fact that the prover can find u, a square root of 
v modulo n, whereas someone who does not know p and q will not be able to compute 
a square root modulo n in a reasonable amount of time. 

The four steps of this procedure form one cycle. Cycles can be repeated sufficiently 
often to guarantee a high degree of security, as we will subsequently describe. 

We illustrate this type of zero-knowledge proof with the following example. 

Example 11.21. Suppose Paula wants to verify her identity to Vince by convincing 
him that she knows the prime factors of n = 3 1 • 61 = 1891. Her identification number is 
I = 391. Note that 391 is a quadratic residue of 1891 because, as the reader can verify, it 
is a quadratic residue of both 31 and 61, so she can take v = 391 (that is, in this case, she 
does not have to concatenate an integer c with /). Paula finds that u = 239 is a square 
root of 391 modulo 1891. She can easily perform this calculation, because she knows 
the primes 31 and 61. (Note that we have selected small primes p and q in this example 
to illustrate the procedure. In practice, primes with hundreds of digits should be used.) 

We illustrate one cycle of this procedure. In step (i), Paula chooses a random number, 
say, r = 998. She sends Vince two numbers, x = r 2 = 998 2 = 1338 (mod 1891) and 
y = v x = 391 • 1296 = 1839 (mod 1891). 

In step (ii), Vince checks that xy = 1338 • 1839 = 391 (mod 1891) and chooses, at 
random, a bit b, say, b = 1, which he sends to Paula. 

In step (iii), Paula sends s = ur = 239 • 1855 = 851 (mod 1891) to Vince. Finally, 
in step (iv), Vince checks that s 2 = 851 2 = 1839 = y (mod 1891). ◄ 

Note that if the prover sends the verifier both r and s , the verifier will know the private 
information u = rs, which is the secret information held by the prover. By passing the 
test with sufficiently many cycles, the prover has shown that she can produce either r or 
s on request. It follows that she must know u because, in each cycle, she knows both r 
and s. The choice of the random bit by the verifier makes it impossible for someone to 
fix the procedure by using numbers that have been rigged to pass the test. For example, 
someone could compute the square of a known number r and send x = r 2 , instead of 
choosing a random number. Similarly, someone could select a number x such that vx is 
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a known square. However, it is impossible to do precalculations to make both x and y 
the squares of known numbers without knowing u. 

Because the bit chosen by the verifier is chosen at random, the probability that it 
will be a 0 is 1/2, as is the probability that it will be a 1. If someone does not know u, 
the square root of v, the probability that they will pass one iteration of this test is almost 
exactly 1/2. Consequently, the probability that someone masquerading as the prover will 
pass the test with 30 cycles is approximately 1/2 30 , which is less than one in a billion. 

A variation of this procedure, known as the Fiat-Shamir method, is the basis for 
verification procedures used by smart cards, such as for verifying personal identification 
numbers. 

Next, we describe a method that can be used to prove, using a zero-knowledge 
proof, that someone has certain information. Suppose that the prover, Paula, has in- 
formation represented by a sequence of numbers tq, v 2 , . . . , v m , where 1 <Vj<n for 
j = 1, 2, . . . , m. Here, as before, n is the product of two primes p and q that are both con- 
gruent to 3 modulo 4. Paula makes public the sequence of integers s h s 2 , . . . , s m , where 
sj = v 2 (mod n), 1 <sj< n. Paula wants to convince the verifier, Vince, that she knows 
the private information iq, v 2 , , v m , without revealing this information to Vince. What 
Vince knows is her public modulus n and her public information s h s 2 , . . . , s m . 

The following procedure can be used to convince Vince she has this information. 
Each cycle of the procedure has the following steps. 

(i) Paula chooses a random number r and computes x = r 2 , which she sends to 
Vince. 

(ii) Vince selects a subset S of the set {1, 2, . . . , m} and sends this subset to Paula. 

(iii) Paula computes y, the least positive residue modulo n of the product of r and 
the integers Vj, with j in S, that is, y = r IlyeS v j ( m °d n), 0 < y < n, and she 
sends y to Vince. 

(iv) Vince verifies that x = y 2 z (mod n), where z is the product of the integers Sj, 
with j in S, that is, z = flyeS s j ( m °d n),0 < z < n. 

Note that the congruence in step (iv) holds, because 

yw 2 n»5rb 

j j €5 

- 2 n*5 

jeS 

= r 2 (mod n). 

The random number r is used so that the verifier cannot determine the value of the integer 
Vj, part of the secret information, by selecting the set S = {/}. When this procedure is 
carried out, the verifier is given no new information that will help him determine the 
private information u lf . . . , v m . 
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We illustrate one cycle of this interactive zero-knowledge proof in the following 
example. 


Example 11.22. Suppose that Paula wants to convince Vince that she has secret 
information, which is represented by the integers iq = 1 144, v 2 = 877, v 3 = 2001, v 4 = 
1221, and v 5 = 101. Her secret modulus is n = 47 • 53 = 2491. (In practice, primes with 
hundreds of digits are used rather than the small primes used in this example.) 

Her public information consists of the integers Sj, with Sj = vj (mod 2491), 0 < 
Sj < 2491, j = 1,2, 3, 4, 5. It follows, after routine calculation, that her public information 
consists of the integers Sj = 197, s 2 = 2453, s 3 = 1553, s 4 = 941, and s 5 = 494. 

Paula can convince Vince that she has the secret information using the procedure 
described in the text. We describe one cycle of the procedure. In step (i), Paula chooses 
a random number, say, r = 1253. Next, she sends x = 679, the least positive residue of 
r 2 modulo 2491, to Vince. 

In step (ii), Vince selects a subset of {1, 2, 3, 4, 5}, say, s = {1, 3, 4, 5}, and informs 
Paula of this choice. 

In step (iii), Paula computes the number y, with 0 < y < 2491 and 
y = rv x U3U4U5 

= 1253 -1144 -2001 -1221 101 
= 68 (mod 2491). 

Consequently, she sends y = 68 to Vince. 

Finally, in step (iv), Vince confirms that x = y 2 s jS3.S4.S5 (mod 2491) by verifying 
that x = 679 = 68 2 • 197 • 1553 • 941 • 494 (mod 2491). 

Vince can ask Paula to run through more cycles of this procedure to verify that she 
does have the secret information. He stops when he feels that the probability that she is 
cheating is small enough to satisfy his needs. ◄ 

How can the prover cheat in this interactive procedure for zero-knowledge proofs 
of information? That is, how can the prover fool the verifier into thinking that she really 
knows the private information v h . . . , v m when she does not? The only obvious way 
is for the prover to guess the set S before the verifier supplies this; in step (i), to take 
x = r 2 riyes v 2 p and in step (iii), to take y = r. Because there are 2 m possible sets S (as 
there are that many subsets of {1, 2, . . . , m}), the probability that someone not knowing 
the private information fools the verifier using this technique is l/2 m . Furthermore, when 
this cycle is iterated T times, the probability decreases to \/2 mT . For instance, if m = 10 
and T = 3, the probability of the verifier being fooled is less than one in a billion. 

In this section, we have only briefly touched upon zero-knowledge proofs. The 
reader interested in learning more about this subject should refer to the chapter by 
Goldwasser in [Po90], as well as to the reference supplied in that chapter. 
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.5 Exercises 

1. Suppose that n = 3149 = 47 • 67 and that je 4 = 2070 (mod 3149). Find the least nonnegative 
residue of je 2 modulo 3149. 

2. Suppose that n = 1 1,021 = 103 ■ 107 and that je 4 = 1686 (mod 1 1,021). Find the least non- 
negative residue of x 2 modulo 1 1 , 021 . 

3. Suppose that n = pq, where p and q are primes both congruent to 3 modulo 4, and that je is 
an integer relatively prime to n. Show that of the four square roots of je 4 modulo n, only one 
is the least nonnegative residue of a square of an integer. 

4. Suppose that Paula has identification number 1760 and modulus 1961 = 37 • 53. Show how 
she verifies her identity to Vince in one cycle of the Shamir procedure, if she selects the 
random number 1101 and he chooses 1 as his random bit. 

5. Suppose that Paula has identification number 7 and modulus 141 1 = 17 • 83. Show how she 
verifies her identify to Vince in one cycle of the Shamir procedure, if she selects the random 
number 822 and he chooses 1 as his random bit. 

6 . Run through the steps used to verify that the prover has the secret information in Example 
1 1 . 22 , when the random number r = 888 is selected by the prover in step (i) and the verifier 
selects the subset {2, 3, 5} of {1, 2, 3, 4, 5}. 

7. Run through the steps used to verify that the prover has the secret information in Example 
1 1 .22, when the random number r = 1403 is selected by the prover in step (i) and the verifier 
selects the subset {1, 5} of {1, 2, 3, 4, 5}. 

8 . Let n = 2491 = 47 ■ 53. Suppose that Paula’s identification information consists of the se- 
quence of six numbers iq = 881, v 2 = 1 199, u 3 = 2144, v 4 = 1 10, v 5 = 557, and v 6 = 2200. 

a) Find Paula’s public identification information, s it s 2 , S 3 , s 4 , s 5 , s 6 . 

b) Suppose that Paula selects at random the number r = 1091, and Vince chooses the subset 
S = 2, 3, 5, 6 and sends this to Paula. Find the number that Paula computes and sends 
back to Vince. 

c) What computation does Vince make to verify Paula’s knowledge of her secret information? 

9. Let n = 3953 = 59 ■ 67. Suppose that Paula’s identification information consists of the se- 
quence of six numbers iq = 1001, v 2 = 21, d 3 = 3097, d 4 = 989, u 5 = 157, and u 6 = 1039. 

a) Find Paula’s public identification information s 1( s 2 , s 3 , s 4 , s 5 , s 6 . 

b) Suppose that Paula selects at random the number r = 403, and Vince chooses the subset 
S = { 1, 2, 4, 6 } and sends this to Paula. Find the number that Paula computes and sends 
back to Vince. 

c) What computation does Vince make to verify Paula’s knowledge of her secret information? 

10. Suppose that n = pq, where p and q are large odd primes and that you are able to efficiently 
extract square roots modulo n without knowing p and q. Show that you can, with probability 
close to 1, find the prime factors p and q. (Hint: Base your algorithm on the following 
procedure. Select an integer je. Extract a square root of the least nonnegative residue of je 2 
modulo n. You will need to show that there is a 1/2 chance that you found a square root not 
congruent to ±jc modulo n.) 

11. In this exercise, we expose a flaw in the proposed scheme of a zero-knowledge proof presented 
prior to Example 11.20. Suppose that Vince randomly chooses integers w until he finds a 
value of w for which the Jacobi symbol (^) equals - 1 and that he sends Paula z, the least 
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nonnegative residue of w 2 modulo n. Show that Vince can factor n once Paula sends back 
the square root of z that she computes. 


Computations and Explorations 

1. Give one of your classmates the integer n, where n = pq and p and q are primes with more 
than 50 decimal digits, both congruent to 3 modulo 4. Convince your classmate that you know 
both p and q using a zero-knowledge proof. 

2. Convince one of your classmates that you know a secret in the form of a sequence of 10 
positive integers each less than 10,000, using the zero-knowledge proof described in the text. 

Programming Projects 

1. Given n, the product of two distinct primes both congruent to 3 modulo 4, and the least 
positive residue of x 4 modulo n, where x is an integer relatively prime to n, find the least 
positive residue of x 2 modulo n. 



a r\ Decimal Fractions and 
1 .1- Continued Fractions 


I n this chapter, we will discuss the representation of rational and irrational numbers as 
decimal fractions and continued fractions. We will show that every rational number 
can be expressed as a terminating or periodic decimal fraction, and provide some results 
that tell us the length of the period of the decimal fraction of a rational number. We 
will also construct irrational numbers using decimal fractions, and show how decimal 
fractions can be used to express a transcendental number and to demonstrate that the set 
of real numbers is uncountable. 

Continued fractions provide a useful way of expressing numbers. We will show 
that every rational number has a finite continued fraction, that every irrational number 
has an infinite continued fraction, and that continued fractions are the best rational 
approximations to numbers. We will establish a key result that will tell us that the set of 
quadratic irrationals can be characterized as the set of numbers with periodic continued 
fractions. Finally, we will show how continued fractions can be used to help factor 
integers. 


12.1 Decimal Fractions 

In this section, we discuss the representation of rational and irrational numbers as decimal 
fractions. We first consider base b expansions of real numbers, where b is a positive 
integer, b > 1. Let a be a positive real number, and let a — [a] be the integer part of a, so 
that y — a — [a] is the fractional part of a and a — a + y with 0 < y < 1. By Theorem 
2.1, the integer a has a unique base b expansion. We now show that the fractional part 
y also has a unique base b expansion. 

Theorem 12.1. Let y be a real number with 0 < y < 1 , and let b be a positive integer, 
b > 1. Then y can be uniquely written as 

00 

Y = Y. c i/ hj ' 

j = i 

where the coefficients Cj are integers with 0 < Cj < b — 1 for j = 1, 2, ... , with the 
restriction that for every positive integer N there is an integer n with n> N and c n ^ 
b- 1. 

In the proof of Theorem 12. 1 , we deal with infinite series. We will use the following 
formula for the sum of the terms of an infinite geometric series. 
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Theorem 12.2. Let a and r be real numbers with \r \ < 1. Then 

00 

J2 arJ =a/(l-r). 

7=0 

Most books on calculus or mathematical analysis contain a proof of Theorem 12.2 (see 
[Ru64], for instance). 

We can now prove Theorem 12.1. 

Proof. We first let 


c i = [byl 

so that 0 <Ci<b — 1, because 0 < by < b. In addition, let 
y l = by - c l = by - [by], 

so that 0 < yi < 1 and 



We recursively define c k and y k , for & = 2, 3, . . . , by 
c k = \bYk - il 


Yk = by k -i - c k 

so that 0 <c k <b— 1, because 0 < by k _i < b and 0 < y^ < 1. Then, it follows that 

Yn 


y= C -l + El + . 

Y b & 


+ b n + b n ' 


Because 0 < y n < 1, we see that 0 < Yn/b n < l/b n . Consequently, 
lim y n /b n = 0. 


Therefore, we can conclude that 

00 

=E c ^- 

7=1 

To show that this expansion is unique, assume that 
00 00 

Y = J2 C J > hj = H d i > bj ’ 

7=1 7=1 

where 0 < Cj < b — 1 and 0 < dj < b — 1 and, for every positive integer N, there are 
integers n and m with c n ^b — 1 and d m ^b — 1. Assume that k is the smallest index 



12.1 Decimal Fractions 471 


for which c k ^ d k , and assume that c k > d k (the case c k < d k is handled by switching the 
roles of the two expansions). Then 

00 00 
0 = 2>; - dji/V = <c t - d k )/b l + £ Vj - 
j = 1 j=t + 1 


so that 

( 12 . 1 ) 


00 


(c t -«)/**= 2 ( dj-Cj)/bi . 
j=k + 1 


Because c* > <4, we have 


(12.2) 

whereas 

(12.3) 




E<4- 

y=*+i 


y=*+i 


= (*- 


1) 


i/fr* +1 
1- l/b 


= l/b k , 


where we have used Theorem 12.2 to evaluate the sum on the right-hand side of the 
inequality. Note that equality holds in (12.3) if and only if dj — cj = b — 1 for all j with 
j >k + 1, and this occurs if and only if dj = b — 1 and Cj = 0 for j > k + 1. However, 
such an instance is excluded by the hypotheses of the theorem. Hence, the inequality in 
(12.3) is strict, and therefore (12.2) and (12.3) contradict (12. 1). This shows that the base 
b expansion of a is unique. ■ 


The unique expansion of a real number in the form Y^jLi c j/^ I s ca U e d the base b 
expansion of this number and is denoted by (.CJC 2 C 3 . . ,) b . 

To find the base b expansion (.cic 2 c 3 . . .) b of a real number y, we can use the 
recursive formula for the digits given in the proof of Theorem 12.1, namely, 


^ = [bn-il Yk = by k - 1 - [bYk-il 

where y 0 = y, for k = 1, 2, 3, . . . . (Note that there is also an explicit formula for these 
digits — see Exercise 21.) 


Example 12.1. Let (.cic 2 c 3 . . .) b be the base 8 expansion of 1/6. Then 
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C1=[8 .I] = 1 , n = 8.i — 1 = 1, 

C2 = [8.I] = 2, » = = 

c 3 = [8 ' |] = 5, W = 8-|-5=|, 

c 4 = [8 j] = 2. K4 = 8-|-2=|, 

c 5 = [8 • f ] = 5, » = 8.|-5=I. 

and so on. We see that the expansion repeats; hence, 

1/6= (.1252525. . .) 8 . m 

We will now discuss base b expansions of rational numbers. We will show that a 
number is rational if and only if its base b expansion is periodic or terminates. 

Definition. A base b expansion (.c 1 c 2 c 3 . . .) b is said to terminate if there is a positive 
integer n such that c n = c n+1 = c n+2 = • • • = 0. 

Example 12.2. The decimal expansion of 1/8, (.125000 . . .) 10 = (.125) 10 , terminates. 
Also, the base 6 expansion of 4/9, (.24000 . . .) 6 = (.24) 6 , terminates. ◄ 

To describe those real numbers with terminating base b expansion, we prove the 
following theorem. 


Theorem 12.3. The real number a, 0 < a < 1, has a terminating base b expansion if 
and only if a is rational and can be written as a = r/s, where 0 < r < s and every prime 
factor of s also divides b. 

Proof. First, suppose that a has a terminating base b expansion, 
a = {.c x c 2 - - - c n ) b . 

Then 



Cl b n ~ l + c 2 b n ~ 2 + ---+c n 
b n 

so that a is rational, and can be written with a denominator divisible only by primes 
dividing b. 

Conversely, suppose that 0 < a < 1, and 


a = r/s, 
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where each prime dividing s also divides b. Hence, there is a power of b, say, b N , that 
is divisible by s (for instance, take N to be the largest exponent in the prime-power 
factorization of 5 ). Then 

b N a = b N r/s = ar, 

where sa = b N , and a is a positive integer because s \b N . Now let ( a m a m _\ . . . a x ao) b be 
the base b expansion of ar. Then 

iu n a mb m + a m -\b m ~ l \-aib + a 0 

a=ar/b £5 

= a m b m - N + a m _ l b m ~ 1 ~ N + • • • + a,b'~ N + aob~ N 
= (.OO...a m a m _ 1 ...a 1 a 0 ) b . 

Hence, a has a terminating base b expansion. ■ 

Note that every terminating base b expansion can be written as a nonterminat- 
ing base b expansion with a tail-end consisting entirely of the digit b — 1, because 
(. cic 2 . . . c m ) b = (. c x c 2 ... c m — 1 b — 1 b — 1 . . ,) b . For instance, (.12) 10 = 
(.11999 . . .) 10 . This is why we require in Theorem 12.1 that for every integer N there is 
an integer n such that n > N and c n ^b — 1; without this restriction, base b expansions 
would not be unique. 

A base b expansion that does not terminate may be periodic, for instance, 

1/3 = (.333 . . .) 10 , 

1/6= (.1666... ) 10 , 
and 


1/7 = (.142857142857142857 . . .) 10 . 

Definition. A base b expansion (,c 1 c 2 c 3 . . ,) b is called periodic if there are positive 
integers N and k such that c n+k = c n for n > N. 


We denote by (.c^ . . . c N _ic N . . . c N+k _i) b the periodic base b expansion 
{.c x c 2 . . ■ c N _ x c N . . . c N+k _ x c N . . . c N+k _ x c N . . .) b . For instance, we have 


1/3=(.3) 10) , 

1/6=(.16) 10 , 


and 

1/7 = (.142857) 10 . 

Note that the periodic parts of the decimal expansions of 1/3 and 1/7 begin imme- 
diately, whereas in the decimal expansion of 1/6 the digit 1 precedes the periodic part 
of the expansion. We call the part of a periodic base b expansion preceding the periodic 
part the pre-period, and the periodic part the period, where we take the period to have 
minimal possible length. 
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Example 12.3. The base 3 expansion of 2/45 is (.001012) 3 . The pre-period is (00) 3 
and the period is (1012) 3 . 

The next theorem tells us that the rational numbers are those real numbers with 
periodic or terminating base b expansions. Moreover, the theorem gives the lengths of 
the pre-period and period of the base b expansion of a rational number. 


Theorem 12.4. Let b be a positive integer. Then a periodic base b expansion represents 
a rational number. Conversely, the base b expansion of a rational number either terminates 
or is periodic. Further, if 0 < a < 1, a = r/s, where r and s are relatively prime positive 
integers, and s = TU, where every prime factor of T divides b and (U, b ) = 1, then the 
period length of the base b expansion of a is ord v b, and the pre-period length is N, 
where N is the smallest positive integer such that T\b N . 


Proof. First, suppose that the base b expansion of a is periodic, so that 


a = (.CiC 2 ■ ■ ■ c N c N+ i . . . c N+k ) b 


= c -±+ c -±+- 


b b 2 

b N 

- C _1 + £! + ., 


b + b 2 

+ b N 


£n_,{ bk \ ( c n+i , , c n+k \ 

h" \b k -l) \b N+1 b N + k ) ’ 


where we have used Theorem 12.2 to see that 


1 _ 1 b k 

h bik ht -' 

Because a is the sum of rational numbers, it is rational. 


Conversely, suppose that 0 < a < l, a = r/s, where r and s are relatively prime 
positive integers, s = TU, where every prime factor of T divides b, {U, b) = 1, and N 
is the smallest integer such that T \b N . 

Because T\b N , we have aT = b N , where a is a positive integer. Hence, 

(12.4) b N a = b N - - = 

TU U 

Furthermore, we can write 


(12.5) 

where A and C are integers with 


— — A H , 

u u 


0< A < b N , 0 < C <U, 


and (C, U ) = 1. (The inequality for A follows because 0 < b N a = jj- < b N , which 
results from the inequality 0 < a < 1 when both sides are multiplied by b N .) The fact 
that (C, U) = 1 follows easily from the condition (r, 5 ) = 1. By Theorem 12.1, A has a 
base b expansion A = (a n a n X . . . aia 0 ) b . 
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If U = 1, then the base b expansion of a terminates as shown. Otherwise, let 
v = ord j,b. Then 


( 12 . 6 ) 


fc .£_WH-l)C C 

u u u 


where t is an integer, because b v = 1 (mod U). However, we also have 

yA 


a2 . 7) 


+ ••• + ?+? 




where (.c^c^ . . .) b is the base b expansion of jj, so that 

c k = [bY k -il Yk = bYk-i ~ [bYk-il 
where j/q = jj, for k = 1, 2, 3, From (12.7), we see that 

(12.8) b'jj = (c t b°-' + c 2 b v " 2 +■■■ + <:„)+*,. 

Equating the fractional parts of (12.6) and (12.8), noting that 0 < y v < 1, we find that 


Consequently, we see that 


C 

y v =~. 


c 

Yv = y 0= — . 


so that from the recursive definition of c 1( c 2 , . . . , we can conclude that c k+v = c k for 
k = 1, 2, 3, . . . . Hence, ~ has a periodic base b expansion 


— = (.C^ . . . C v ) b . 

Combining (12.4) and (10.5), and inserting the base b expansions of A and jj, we have 
(12.9) b N a = (a n a n _i . . . a x a 0 .c Y c 2 " . • c v ) b . 

Dividing both sides of (12.9) by b N , we obtain 


a = (.00 . . . a n a n _ l . . . . . . c v ) b , 

(where we have shifted the decimal point in the base b expansion of b N a N spaces to 
the left to obtain the base b expansion of a). In this base b expansion of a, the pre-period 
(.00 . . . a n a n _i . . . ci\a Q ) b is of length N, beginning with N — (n + 1) zeros, and the 
period length is v. 

We have shown that there is a base b expansion of a with a pre-period of length N 
and a period of length v. To finish the proof, we must show that we cannot regroup the 
base b expansion of a, so that either the pre-period has length less than N or the period 
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has length less than v. To do this, suppose that 


OC — (.C]C2 ■ ■ ■ c M c M+l ■ ■ • c M-\-k)b 



_ (c x b M ~ l + C 2 b M ~ 2 + • • • + C M )(b k - 1) + (CM+ifc*- 1 + • • • + C M+k ) 

b M (b k - 1) 

Because a = r/s, with ( r , 5 ) = 1, we see that s\b M (b k — 1). Consequently, T\b M and 
U\(b k — 1). Hence, M > N, and v\k (by Theorem 9.1, because b k = 1 (mod U ) and 
v = ord ub). Therefore, the pre-period length cannot be less than N and the period length 
cannot be less than v. m 

We can use Theorem 12.4 to determine the lengths of the pre-period and period of 
decimal expansions. Let a = r/s, 0 <a < l,ands = 2 s '5 S2 t, where (t, 10) = 1. Then, by 
Theorem 12.4, the pre-period has length max(s 1? s 2 ) and the period has length ord f 10. 

Example 12.4. Let a = 5/28. Because 28 = 2 2 • 7, Theorem 12.4 tells us that the pre- 
period has length two and the period has length ord 7 10 = 6. As 5/28 = (. 17857142), we 
see that these lengths are correct. ◄ 

Note that the pre-period and period lengths of a rational number r/s, in lowest terms, 
depend only on the denominator s, and not on the numerator r. 

We observe that by Theorem 12.4 a base b expansion that is not terminating and is 
not periodic represents an irrational number. 

Example 12.5. The number with decimal expansion 


a = .10100100010000..., 

consisting of a one followed by a zero, a one followed by two zeros, a one followed by 
three zeroes, and so on, is irrational because this decimal expansion does not terminate 
and is not periodic. ◄ 

The number a in the preceding example is concocted so that its decimal expansion 
is clearly not periodic. To show that naturally occurring numbers such as e and Tt are 
irrational, we cannot use Theorem 12.4, because we do not have explicit formulas for the 
decimal digits of these numbers. No matter how many decimal digits of their expansions 
we compute, we still cannot conclude that they are irrational from this evidence, because 
the period could be longer than the number of digits that we have computed. 

Transcendental Numbers 

The French mathematician Liouville was the first person to show that a particular number 
is transcendental. (Recall from Section 1 . 1 that a transcendental number is one that is not 
the root of a polynomial with integer coefficients.) The number that Liouville showed is 
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transcendental is the number 
00 

a = 'y — = 0.11000100000000000000000100 .... 

i^\ 10 

This number has a one in the n !th place for each positive integer n and a zero elsewhere. 
To show that this number is transcendental, Liouville proved the following theorem, 
which shows that algebraic numbers cannot be approximated very well by rational 
numbers. In particular, this theorem provides a lower bound for how well an algebraic 
number of degree n can be approximated by rational numbers. Note that an algebraic 
number of degree n is a real number that is a root of a polynomial of degree n with integer 
coefficients which is not a root of any polynomial with integer coefficients of degree less 
thanln. 

Theorem 12.5. If a is an algebraic number of degree n, where n is a positive integer 
greater than 1, then there exists a positive real number C such that 

a — — > C/q n 
I q I 

for every rational number p/q, where q > 0. 

Because the proof of Theorem 12.5, although not difficult, relies on calculus, we 
will not supply it here. We refer the reader to [HaWr08] for a proof. We will be content 
to use this theorem to show that Liouville’s number is transcendental. 

Corollary 12.5.1. The number a = 1/10* ! is transcendental. 

Proof. First, note that a is not rational, because its decimal expansion does not terminate 
and is not periodic. To see that it is not periodic, note that there are increasingly larger 
numbers of zeros between successive ones in the expansion. 

Let p k /q k denote the sum of the first k terms in the sum defining a. Note that 
q k = 10 k '. Because 10* ! > 10 (i+1)!l whenever i > k + 1, we have 

I Pk \_ 1 y, 1 

r q t I “ 1<X*+1)I + (UXH-DI)' ■ 

Because 

00 1 i 

V - < 1 , 

i=k+2 1Q(/C+1)! ' 10 ( * +1)! 

it follows that 

Pk I 2 

I q k I 10«*+« ! 

It therefore follows that a cannot be algebraic, for if it were algebraic of degree n, then 
by Theorem 12.5 there would be a positive real number C such that \a — p k /q k \ > C/q k - 
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This is not the case, because we have seen that \a — Pk/Qkl < 2/<?* +1 , and taking k to 
be sufficiently larger than n produces a contradiction. ■ 

The notion of the decimal expansion of real numbers can be used to show that the 
set of real numbers is not countable. A countable set is one that can be put into a one- 
to-one correspondence with the set of positive integers. Equivalently, the elements of a 
countable set can be listed as the terms of a sequence. The element corresponding to the 
integer 1 is listed first, the element corresponding to the integer 2 is listed second, and 
Qj so on. We will give the proof found by German mathematician Georg Cantor. 

Theorem 12.6. The set of real numbers is an uncountable set. 

Proof. We assume that the set of real numbers is countable. Then the subset of all real 
numbers between 0 and 1 would also be countable, as a subset of a countable set is also 
countable (as the reader should verify). With this assumption, the set of real numbers 

between 0 and 1 can be listed as terms of a sequence r h ri, r$, Suppose that the 

decimal expansions of these real numbers are 

r\ = 0.^11^12^13^x4 . . . 

r 2 = 0 .^ 21 ^ 22 ^ 23^24 • • • 
r 3 = 0.^31^32^33^34 . . . 
r 4 = 0.^41^42^43^44 . . . 

and so on. Now form a new real number r with the decimal expansion . . . , 

where the decimal digits are determined by d { = 4 if d u ■£ 4 and d { = 5 if d u = 4. 


GEORG CANTOR (1845-1918) was bom in St Petersburg, Russia, where 
his father was a successful merchant. When he was 11, bis family moved to 
Germany to escape the harsh weather of Russia. Cantor developed his interest 
in mathematics while in German high schools. He attended university at Zurich 
and later at the University of Berlin, studying under the famous mathematicians 
Kummer, Weierstrass, and Kronecker. He received his doctorate in 1867 for 
work in number theory. Cantor took a position at the University of Halle in 
1869, a position that he held until he retired in 1913. 

Cantor is considered the founder of set theory; he is also noted for bis contributions to mathe- 
matical analysis. Many mathematicians had extremely high regard for Cantor’s work, such as Hilbert, 
who said that it was “the finest product of mathematical genius and one of the supreme achievements 
of purely intellectual human activity.” Besides mathematics, Cantor was interested in philosophy, and 
he wrote papers connecting his theory of sets and metaphysics. 

Cantor was married in 1874 and had five children. He had a melancholy temperament that was 
balanced by his wife’s happy disposition. He received a large inheritance from bis father, but since 
he was poorly paid as a professor at Halle, he applied for a better-paying position at the University of 
Berlin. His appointment there was blocked by Kronecker, who did not agree with Cantor’s views on 
set theory. Unfortunately, Cantor suffered from mental illness throughout the later years of his life; 
he died of a heart attack in 1918 in a psychiatric clinic. 
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Because every real number has a unique decimal expansion (when the possibility 
that the expansion has a tail end that consists entirely of 9s is excluded), the real number 
r that we constructed is between 0 and 1 and is not equal to any of the real numbers 
r b r 2> r 3> ■ ■ ■ i because the decimal is a real number r between 0 and 1 not in the list, 
the assumption that all real numbers between 0 and 1 could be listed is false. It follows 
that the set of real numbers between 0 and 1, and hence the set of all real numbers, is 
uncountable. ■ 


.1 Exercises 

1. Find the decimal expansion of each of the following numbers. 

a) 2/5 b) 5/12 c) 12/13 d) 8/15 e) 1/111 f) 1/1001 

2. Find the base 8 expansions of each of the following numbers. 

a) 1/3 b) 1/4 c) 1/5 d) 1/6 e) 1/12 f) 1/22 

3. Find the fraction, in lowest terms, represented by each of the following expansions, 

a) .12 b) .12 c) .12 

4. Find the fraction, in lowest terms, represented by each of the following expansions, 

a) (. 123) 7 b)(.013) 6 c)(.17) n d) (.ABC) 16 

5. For which positive integers b does the base b expansion of 11/210 terminate? 

6. Find the pre-period and period lengths of the decimal expansion of each of the following 
rational numbers. 

a) 7/12 b) 11/30 c) 1/75 d) 10/23 e) 13/56 f) 1/61 

7. Find the pre-period and period lengths of the base 12 expansions of each of the following 
rational numbers. 

a) 1/4 b) 1/8 c) 7/10 d) 5/24 e) 17/132 f) 7/360 

8. Let b be a positive integer. Show that the period length of the base b expansion of 1/m is 
m — 1 if and only if m is prime and b is a primitive root of m. 

9. For which primes p does the decimal expansion of Up have period length equal to each of 
the following integers? 

a) 1 b) 2 c) 3 d) 4 e) 5 f) 6 

10. Find the base b expansion of each of the following numbers, 

a) U(b - 1) b) l/(b + 1) 

11. Let b be an integer with b > 2. Show that the base b expansion of \/(b — l) 2 is 
(.0123 . . . b — 3 b — 1)*. 

12. Show that the real number with base b expansion 

(.0123... b- 1101 112... ) b , 

constructed by successively listing the base b expansions of the integers, is irrational. 

13. Show that 
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b + b 4 + b 9 + b l6 + b 25 + '" 
is irrational, whenever b is a positive integer greater than 1. 

Let b h b 2 , b 3 , . . . be an infinite sequence of positive integers greater than 1. Show that every 
real number can be represented as 


c ° + r + rr + ;rrr + ---- 

u\ b\U2 byD'jp'b 

where c 0 , c\, c 2 , c 3 , . . . are integers such that 0 < c k < k for k = 1, 2, 3, . 
Show that every real number has an expansion 


Co+ u + i + ! + ' 


where c 0 , c h c 2 , c 3 , . . . are integers and 0 < c k < k for k = 1, 2, 3 

Show that every rational number has a terminating expansion of the type described in Exercise 
15. 

Suppose that p is a prime and the base b expansion of l/p is (.c l c 2 . . . c p _ x ) b , so that the 
period length of the base b expansion of l/p is p — 1. Show that if m is a positive integer 
with 1 <m < p, then 


m/p = (,c k+i . . . c p _ x c x c 2 . . . c k _ x c k ) b , 
where k is the least positive residue of ind b m modulo p. 

* 18. Show that if p is prime and l/p = (.c x c 2 . . . c k ) b has an even period length, k = It, then 

Cj + c j+1 = b - 1 for j = 1, 2, . . . , t. 

19. For which positive integers n is the length of the period of the binary expansion of 1 /n equal 
to n - 1? 

20. For which positive integers n is the length of the period of the decimal expansion of 1 / n equal 
to n - 1? 

21. Suppose that b is a positive integer. Show that the coefficients in the base b expansion of the 

real number y = Y^jL i c j /& with 0 < y < 1 are given by the formula Cj = [yb j ] - b [y b j ~ '] 
for j = 1, 2 (Hint: First, show that 0 < [yb j ] - b[yb j ~ l ] <6-1. Then, show that 

([y^ 7 ] - b[yb j ~ l ])/bi = y - ( yb N [yb N ]/b N ) and let N oo.) 

22. Use the formula in Exercise 21 to find the base 14 expansion of 1/6. 

23. Show that the number X^i( — l) a ‘ /10* ! is transcendental for all sequences of positive integers 

a b a 2 , 

24. Is the set of all real numbers with decimal expansions consisting of only zeros and ones 
countable? 

* 25. Show that the number e is irrational. 

26. Pseudorandom numbers can be generated using the base m expansion of l/P, where P is a 
positive integer relatively prime to m. We set x n = Cj +n , where j, the position of the seed, is 
a positive integer and 1/P = (,c 1 c 2 c 3 . . ,) m . This is called the 1/P generator. Find the first 
ten terms of the pseudorandom sequence generator with each of the following parameters, 
a) m = 7, P = 19, and j = 6 b) m = 8, P = 21, and j = 5 
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Computations and Explorations 

1. Find the pre-period and period of the decimal expansions of 212/31597, 1053/4437189, and 
81327/16666699. 

2. Find as many positive integers n as you can such that the length of the period of the decimal 
expansion of 1/n is n — 1. 

3. Find the first 10,000 terms of the decimal expansion of it. Can you find any patterns? Make 
some conjectures about this expansion. 

4. Find the first 10,000 terms of the decimal expansion of e. Can you find any patterns? Make 
some conjectures about this expansion. 


Programming Projects 

1. Find the base b expansion of a rational number, where bis a positive integer. 

2. Find the numerator and denominator of a rational number in lowest terms from its base b 
expansion. 

3. Find the pre-period and period lengths of the base b expansion of a rational number, where 
b is a positive integer. 

4. Generate pseudorandom numbers using the \/P generator (introduced in Exercise 26) with 
modulus m and seed in position j, where P and m are relatively prime positive integers 
greater than 1 and j is a positive integer. 


12.2 Finite Continued Fractions 

The remainder of this chapter deals with continued fractions. In particular, in this section 
we define finite continued fractions. We will show that every rational number can be 
written as a finite continued fraction. Later sections will discuss infinite continued 
fractions. 

Using the Euclidean algorithm, we can express rational numbers as continued 
fractions. For instance, the Euclidean algorithm produces the following sequence of 
equations: 


62 = 2 • 23 + 16 
23 = 1- 16 + 7 
16 = 2-7 + 2 
7 = 3 • 2 + 1. 


When we divide both sides of each equation by the divisor of that equation, we obtain 
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62 „ 16 „ 1 

— — 2 + — — 2 + 

23 23 23/16 

23 . 7 1 

— — 1 “I - — — 1 “I - 

16 16 16/7 

16 . 2 . 1 

— = 2 +-= 2 + 

7 7 7/2 


1 = 3 + 1 . 

2 2 

By combining these equations, we find that 

— = 2 H 1 — 

23 23/16 

= 2 + — — 


1 +- 


= 2 + - 


16/7 

1 


1 +- 


2 H 

111 


= 2 + - 


1 +- 


2 + - 


3+- 


The final expression in this string of equations is a continued fraction expansion of 62/23. 
We now define continued fractions. 


Definition. A /inite continued fraction is an expression of the form 
1 


a o + - 


a i + 


a 2 ~K 


a n -i+~ 


where oq, a h a 2 , . . . , a n are real numbers with a h a 2 , a 3 , . . . , a n positive. The real 
numbers a h a 2 , . . . , a n are called the partial quotients of the continued fraction. The 
continued fraction is called simple if the real numbers a 0 , a h . . . , a n are all integers. 


Because it is cumbersome to fully write out continued fractions, we use the nota- 
tion [a 0 \ a h a 2 , . . . , a n ] to represent the continued fraction in the definition of a finite 
continued fraction. 
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We will now show that every finite simple continued fraction represents a rational 
number. Later we will demonstrate that every rational number can be expressed as a finite 
simple continued fraction. 

Theorem 12.7. Every finite simple continued fraction represents a rational number. 
Proof. We will prove the theorem using mathematical induction. For n = 1, we have 

r_ . _ n , 1 _ a 0 fl l + 1 

[a 0 , ai\ = a 0 -\ = , 

a i a o 

which is rational. Now, we assume that for the positive integer k the simple contin- 
ued fraction [a 0 ; a h a 2 , , a k ] is rational whenever a 0 , a h ... , a k are integers with 
a h . . . , a k positive. Let a 0 , a h . . . , a k+i be integers with a h . . . , a k+ i positive. Note 
that 


[a 0 \a h . . . , a k+ i\ = a 0 + 


1 

[fl 1 ;a 2 » • • • » a k> a k+\\ 


By the induction hypothesis, [a\\ a 2 , . . . , a k , a k+ J is rational; hence, there are integers 
r and s, with ^0, such that this continued fraction equals r/s. Then 


r n . 1 a 0 r+s 

[a 0 ; ... , a k , a k+i ] = a 0 + — = , 

r/s r 


which is again a rational number. ■ 

We now show, using the Euclidean algorithm, that every rational number can be 
written as a finite simple continued fraction. 


Theorem 12.8. Every rational number can be expressed by a finite simple continued 
fraction. 

Proof. Let x =a/b, where a and b are integers with b > 0. Let r 0 = a and r± = b. Then, 
the Euclidean algorithm produces the following sequence of equations: 

= m\ + r 2 0 <r 2 < r h 

r\ = r 2 q 2 + r 3 0 < r 3 < r 2 , 

r 2 = r 3 q 3 + r 4 0 < r 4 < r 3 , 


r n - 3 = r n - 2 q n -2 + r n —i 0 < r n _i < r n _ 2 , 

r n - 2 = r n —\q n —\ + r n o < r n < r n _ h 

r n -i = r n qrr 

In these equations, q 2 , q 3 , . . . , q n are positive integers. Writing these equations in 
fractional form, we have 
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a r 0 r 2 .1 

7 = — =0i + — = 9 i + — 7— 

" r x r 2 


b r x 


r x r-i 1 

— = <?2 H = <?2 + 


r 3 

r n—3 

r n—2 

r n—2 

r n—l 

r n - 1 


. ^3 ; 
r 2 

- r -±-_ 

r 3 


r 2 /r3 

1 

»"3/ r 4 


r„_i 1 

= Qn—2 H = 2 H 7 

r„-2 r n-2 r n _ 2 /r n _ 1 


<7n-l H 9n-l H 7“ 

/■«-! ^n-1 r n—\/ r n 


Substituting the value of /•]/ r 2 from the second equation into the first equation, we obtain 

1 


( 12 . 10 ) 


6 = « 1 + 


<72 + 


> 2/ >3 


Similarly, substituting the value of r 2 /r 3 from the third equation into (12.10), we obtain 

1 


-= ?1 + 


q 2 + - 


<73 + 




Continuing in this manner, we find that 


~ b =qi+ 


1 


<?2 + 


#3 +■ 


+ <ln - 1 H 

<7n 

Hence, | q 2 , , q n \. This shows that every rational number can be written as a 

finite simple continued fraction. ■ 

We note that continued fractions for rational numbers are not unique. From the 
identity 


a n = (a n - 1 ) + 


we see that 


[a 0 ; a x , a 2 , ... , a n _ x , a n ] = [a 0 ; <*i, a 2 , ... , a n _ x , a n — 1, 1] 


whenever a n > 1. 
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Example 12.6. We have 

~ = [ 0 ; 1 , 1 , 1 , 3 ] = [ 0 ; 1 , 1 , 1 , 2 , 1 ]. A 

In fact, it can be shown that every rational number can be written as a finite simple 
continued fraction in exactly two ways, one with an odd number of terms, the other with 
an even number (see Exercise 12 at the end of this section). 

Next, we will discuss the numbers obtained from a finite continued fraction by 
cutting off the expression at various stages. 

Definition. The continued fraction [a 0 ; a h a 2 , ... , a k \, where & is a nonnegative in- 
teger less than or equal to n, is called the kth convergent of the continued fraction 
[a 0 ; a h a 2 , ... , a n ]. The kth convergent is denoted by C k . 

In our subsequent work, we will need some properties of the convergents of a 
continued fraction. We now develop these properties, starting with a formula for the 
convergents. 

Theorem 12.9. Let a 0 , a h a 2 , ... ,a n be real numbers, with a h a 2 , ... ,a n positive. 
Let the sequences p 0 , p \, . . . , p n and q 0 , q h . . . ,q n be defined recursively by 

Po = a o Go = 1 

Pi = <*o a i + 1 Gl = a i 


and 


Pk - a kPk - 1 + Pk—2 Gk = a kGk-\ + Gk - 2 
for k = 2, 3, . . . , n. Then the kth convergent C k = [a 0 ; tq, . . . , a k \ is given by 


c k = Pk/Gk- 


Proof. We will prove this theorem using mathematical induction. We first find the three 
initial convergents. They are 


Co = [a 0 ] = a 0 /\ = Po/Go, 

C 1 = [ fl0 ;« 1 ] = «„ + J- = ?2^ 

«1 

c 2 = [«0’ a b a 2\ = a 0 + “ 


a t + ^ 


= El 
Gl 

aiiaiap + 1 ) + 
a 2 a x + 1 


Pi 

Gl 


Hence, the theorem is valid for k = 0, k = 1, and k = 2. 


Now assume that the theorem is true for the positive integer k, where 2 <k<n. 
This means that 

(12.11) C t -lw«, a t ]=^ = a * Pt -' + P *- 2 . 

Gk a kGk-\ + Gk-l 

Because of the way in which the pf s and qf s are defined, we see that the real num- 
bers p k _ h p k _ 2 , q k _ h and q k _ 2 depend only on the partial quotients a 0 , a h ... , a k _ v 
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Consequently, we can replace the real number a k by a k + l/a^+i i n (12. 1 1), to obtain 
Ck+i = ■ • • - a k> a k+ 1] = r a o» a i> ■ • • > a k-b a k H 1 

L a k+ 1 J 

( fli + +) Pt -1 + Pt ~ 2 

_ a k+\( a kPk-i + Pk- 2 ) + Pfc-l 
a k+l( a kQk-l + <lk- 2) + 

_ + Pft-1 

a k+iQk + Qk-i 
_ Pk+ 1 
tffc+i 

This finishes the proof by induction. ■ 

We will illustrate how to use Theorem 12.9 with the following example. 

Example 12.7. We have 173/55 = [3; 6, 1, 7]. We compute the sequences pj and qj 
for j = 0, 1, 2, 3, by 

p 0 = 3 q Q = 1 

Pi = 3 • 6 + 1 = 19 <?i = 6 

p 2 = 1- 19 + 3=22 #2 =16+1 = 7 

p 3 = 7-22+ 19= 173 ^ = 7-7 + 6=55. 

Hence, the convergents of the above continued fraction are 
Q) = Po/tfo = 3/1 = 3 
Cl = Pi/qi = 19/6 
C 2 = Pi 1^2 = 22/7 

C 3 = p 3 /q 3 = 173/55. ◄ 

We now state and prove another important property of the convergents of a continued 
fraction. 

Theorem 12.10. Let C k = p k /q k be the kth convergent of the continued fraction 
[a 0 ; a h ... , a n ], where k is a positive integer, 1 < k < n. If p k are as defined in Theorem 
12.9, then 

Pk9k-i “ Pk i^k = (-1)* -1 - 

Proof. We use mathematical induction to prove the theorem. For k= 1, we have 


Pitfo “ PoVi = («o«i + 1) * 1 - a 0 ai = 1. 
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Assume that the theorem is true for an integer k, where 1 < k < n, so that 
Pk<lk-i- Pk-i<lk = (-l) k ~ 1 - 


Then we have 

Pk+iQk ~ PkQk+i = ( a k+iPk + Pk-\)Qk ~ Pk( a k+tfk + Qk- 1) 

= Pk-m - PkQk-i = -(-i) fc_1 = (-i)*, 

so that the theorem is true for k + 1. This finishes the proof by induction. ■ 

We illustrate this theorem with the example that we used to illustrate Theorem 12.9. 

Example 12.8. For the continued fraction [3; 6, 1, 7], we have 
PoQi - Pi^o = 3 • 6 - 19 - 1 = — 1 
Pm ~ PiQ\ = 19 • 7 - 22 • 6 = 1 
pm - pm = 22 • 55 - 173 • 7 = -1. 

As a consequence of Theorem 12.10, we see that for k = 1, 2, . . . , the convergents Pk/Qk 
of a simple continued fraction are in lowest terms. Corollary 12.10.1 demonstrates this. 

◄ 

Corollary 12.10.1. Let Q = Pk/Qk t> e the £th convergent of the simple continued 
fraction [a 0 ; a h . . . , a n \, where the integers p k and q k are as defined in Theorem 12.9. 
Then the integers p k and q k are relatively prime. 

Proof. Let d = (p k , q k ). By Theorem 12.10, we know that 

PkQk-\ ~ QkPk-i = (— l)* -1 - 


Hence, 


Therefore, d = 1. ■ 

We also have the following useful corollary of Theorem 12.10. 

Corollary 12.10.2. Let Q = Pk/qk b e the kth convergent of the simple continued 
fraction [a 0 ; a 1 , a 2 , , a k ]. Then 


c k ~ c k-l = 


QkQk-\ 


for all integers k with 1 < k < n. Also, 


C k ~ C k- 2 = 


gjt(-l)* 

QkQk-2 


for all integers k with 2 < k < n. 
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Proof. Subtracting fractions and applying Theorem 12.10 tells us that 

c - c = — - Rhzl. = EfSfzl - Pk-m = (- i )* -1 

Qk Qk - l QkQk-i QkQk - l 

giving us the first identity of the corollary. 

To obtain the second identity, note that 

^ ^ _ Pk Pk-2 __ PkQk-2 ~ Pk-2<lk 

L^k — 2 = = • 

Qk Qk-2 QkQk- 2 

Because p k = a k p k _ l + p k _ 2 and q k = a k q k _ x + q k _ 2 , we see that the numerator of the 
fraction on the right is 

PkQk- 2 ~ Pk-2<lk = (flkPk - 1 + Pk-2)Qk-2 ~ Pk-2( a k<lk-i + Qk- 2 ) 

= a k(Pk-\Qk-2 ~ Pk-2Qk-l) 

= D*“ 2 , 


using Theorem 12.10 to see that p k -\Qk-2 ~ Pk- 2 Qk-\ = (— l)* -2 . 
Therefore, we find that 


C k ~ C k- 2 = 


QkQk-2 


This is the second identity of the corollary. 


Using Corollary 12.10.2, we can prove the following theorem, which is useful when 
developing infinite continued fractions. 


Theorem 12.11. Let C k be the kth convergent of the finite simple continued fraction 
a b a 2 1 • ■ ■ > a n\- Then 

Cl > c 3 > c 5 > ■ ■ ■ , 

C 0 < C2 < C4 < • • • , 

and every odd-numbered convergent C 2 j +h j = 0, 1, 2, . . . , is greater than every even- 
numbered convergent C 2 j, j = 0, 1, 2, ... . 

Proof. Because Corollary 12.10.2 tells us that, for k = 2, 3, . . . , n. 


Q - Q-2 = - 


QkQk-2 


we know that 


when k is odd, and 


Q > c k - 2 
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when k is even. Hence, 

Ci>C 3 >C 5 >... 

and 


Cq < C 2 < C 4 < • • • . 

To show that every odd-numbered convergent is greater than every even-numbered 
convergent, note that from Corollary 12.10.2, we have 

(_l)2m-l 

^2m — ^2m-\ = “ < 0 , 

( l2m ( l2m-\ 

so that C 2m _ 1 > C 2m - To compare C 2k and C 2y -_ i, we see that 

C 2j-\ > C 2j+2k-l > C 2j+2k > C 2b 

so that every odd-numbered convergent is greater than every even-numbered convergent. 


Example 12.9. Consider the finite simple continued fraction [2; 3, 1, 1, 2, 4], Then the 
convergents are 

C 0 = 2/1 = 2 

C x = 7/3 = 2.3333 . . . 

C 2 = 9/4 = 2.25 

C 3 = 16/7 = 2.2857 . . . 

C 4 = 41/18 = 2.2777... 

C 5 = 180/79 = 2.2784 .... 

We see that 

C 0 = 2 < C 2 = 2.25 < C 4 = 2.2777 . . . 

< C 5 = 2.2784 . . . < C 3 = 2.2857 . . . < C x = 2.3333 .... < 


12.2 Exercises 

1. Find the rational number, expressed in lowest terms, represented by each of the following 
simple continued fractions. 

a) [2; 7] c)[0;5,6] e) [1; 1] g) [1; 1, 1, 1] 

b) [1; 2, 3] d) [3; 7, 15, 1] f) [1; 1, 1] h) [1; 1, 1, 1, 1] 

2. Find the rational number, expressed in lowest terms, represented by each of the following 
simple continued fractions. 

a) [10; 3] c) [0; 1, 2, 3] e) [2; 1, 2, 1, 1, 4] g) [1; 2, 1, 2, 1] 

b) [3; 2, 1] d) [2; 1,2,1] f) [1; 2, 1, 2] h) [1;2, 1, 2, 1, 2] 

3. Find the simple continued fraction expansion, not terminating with the partial quotient of 1, 
of each of the following rational numbers. 
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a) 18/13 c) 19/9 e) -931/1005 

b) 32/17 d) 310/99 f) 831/8110 

4. Find the simple continued fraction expansion, not terminating with the partial quotient of 1, 
of each of the following rational numbers. 

a) 6/5 c) 19/29 e) -943/1001 

b) 22/7 d) 5/999 f ) 873/4867 

5. Find the convergents of each of the continued fractions found in Exercise 3. 

6. Find the convergents of each of the continued fractions found in Exercise 4. 

7. Show that the convergents that you found in Exercise 5 satisfy Theorem 12.11. 

8. Let f k denote the kth Fibonacci number. Find the simple continued fraction, terminating with 
the partial quotient of 1, of f k+x /f k , where k is a positive integer. 

9. Show that if the simple continued fraction expression of the rational number a, a > 1, is 
[a 0 ; a x , ... , a k \, then the simple continued fraction expression of \/a is [0; a x , , a k \ 

>- 10. Show that if a 0 > 0, then 

Pk/Pk-l ~ i a k’ a k-b • • • » a b a o] 
and 

ft/ft- 1 = [«*;«*- 1» • • • . eh, flj, 

where C k _ x = p k ~\/q k - X an d C k = p k /q k , k > 1, are successive convergents of the continued 
fraction [a 0 ; a x , ... , a„]. (Hint: Use the relation p k = a k p k _ x + p k _ 2 to show that p k / p k _ x = 
a k + ^/(Pk-J Pk-i)) 

»- 11. Show that q k > f k for k = 1, 2 where C k — p k /q k is the kth convergent of the simple 

continued fraction [a 0 ; a h ... , a n ] and f k denotes the kth Fibonacci number. 

12. Show that every rational number has exactly two finite simple continued fraction expansions. 

* 13. Let [ a 0 ;a x ,a 2 , . . . , a n ] be the simple continued fraction expansion of r/s, where (r, s) = 1 

and r > 1. Show that this continued fraction is symmetric, that is, a 0 = a n , a x = a n _ h a 2 = 
a„_ 2 , . . . , if and only if r \ (s 2 + 1) if n is odd and r\(s 2 — 1) if n is even. (Hint: Use Exercise 
10 and Theorem 12.10.) 

* 14. Explain how finite continued fractions for rational numbers, with both plus and minus signs 

allowed, can be generated from the division algorithm given in Exercise 18 of Section 1.5. 

15. Let a 0 , a h a 2 , ... ,a k be real numbers with a x , a 2 , . . . positive, and let x be a positive real 
number. Show that [a 0 ; a h ... , a k \ < [a 0 ; a x . . . , a k + x] if k is odd and [a 0 ; a h ... , a k \ > 
[a 0 ; a x . . . , a k + x] if k is even. 

16. Determine whether n can be expressed as the sum of positive integers a and b, where all the 
partial quotients of the finite simple continued fraction of a lb are either 1 or 2, for each of 
the following integers n. 

a) 13 b) 17 c) 19 d) 23 e) 27 f ) 29 

Computations and Explorations 

1. Find the simple continued fractions of 1001/3000, 10,001/30,000, and 100,001/300,000. 

2. Find the finite continued fractions of x and 2x for 20 different rational numbers. Can you find 
a rule for finding the finite simple continued fraction of 2x from that of xl 
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3. Determine for each integer n,n < 1000, whether there are integers a and b with n — a + b 
such that the partial quotients of the continued fraction of a/b are all either 1 or 2. Can you 
make any conjectures? 

Programming Projects 

1. Given a rational number, find its simple continued fraction expansion. 

2. Given a finite simple continued fraction, find its convergents and the rational number that this 
continued fraction represents. 


12.3 Infinite Continued Fractions 

In this section, we will define infinite continued fractions and show how to represent a 
real number using an infinite continued fraction. We will show how to use the continued 
fraction representation of a real number to produce rational numbers that are excellent 
approximations of this real number. We will also show how to apply continued fractions 
to explain a certain kind of attack on the RS A cryptosystem. In the next section, we will 
study the continued fractions of quadratic irrationalities. 

To begin suppose that we have an infinite sequence of positive integers a 0 ; a h a 2 , 
.... How can we define the infinite continued fraction [a 0 ; a h a 2 , . . .]? To make sense 
of infinite continued fractions, we need a result from mathematical analysis. We state the 
result, and refer the reader to a mathematical analysis text, such as [Ru64], for a proof. 

Theorem 12.12. Let x 0 , jcj, x 2 , ... be a sequence of real numbers such that jc 0 < jcj < 
x 2 < • • • and x k < U for k = 0, 1, 2, . . . for some real number U, or x 0 > > x 2 > . . . 

and x k > L for k = 0, 1, 2, . . . for some real number L. Then the terms of the sequence 
jc 0 , x\, x 2 , . . . tend to a limit jc, that is, there exists a real number x such that 

lim x k = x. 
fc— ► 00 

Theorem 12.12 tells us that the terms of an infinite sequence tend to a limit in two 
special situations: when the terms of the sequence are increasing and all are less than an 
upper bound, and when the terms of the sequence are decreasing and all are greater than 
a lower bound. 

We can now define infinite continued fractions as limits of finite continued fractions, 
as the following theorem shows. 

Theorem 12.13. Let a 0 , a h a 2 , ... be an infinite sequence of integers with a h a 2 , . . . 
positive, and let C k = [a 0 ; a h a 2 , , a k ]. Then the convergents C k tend to a limit a, 

that is, 


lim C k = a. 

k—>OQ 

Before proving Theorem 12.13, we note that the limit a described in the statement of 
the theorem is called the value of the infinite simple continued fraction [a 0 ; a h a 2 , . . .]. 
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To prove Theorem 12.13, we will show that the infinite sequence of even-numbered 
convergents is increasing and has an upper bound and that the infinite sequence of odd- 
numbered convergents is decreasing and has a lower bound. We then show that the limits 
of these two sequences, guaranteed to exist by Theorem 12.12, are in fact equal. 

Proof. Let m be an even positive integer. By Theorem 12.1 1, we see that 

Cl > c 3 > c 5 > • • • > c m _ h 
Co < C 2 < C 4 < ■ < C m , 

and C 2 j < C 2 jt+i whenever 2 j <m and 2k + 1 < m. By considering all possible values 
of m, we see that 

C l >C 3 >C 5 >-> C 2n ~ i > c 2n+ 1 > • • • , 

Cq < c 2 < C 4 < • • • < C 2n _ 2 < c 2n < • • • , 


and C 2 j > C 2k+ i for all positive integers j and k. We see that the hypotheses of Theorem 
12.12 are satisfied for each of the two sequences C h C 3 , C 2 , . . . and C 0 , C 2 , C 4 , .... 
Hence, the sequence C h C 3 , C5, . . . tends to a limit oq and the sequence C 0 , C 2 , C 4 , . . . 
tends to a limit a 2 , that is, 

ffini) C 2n+1 = aq 
and 


^lim, C 2n = a 2 . 

Our goal is to show that these two limits oq and a 2 are equal. Using Corollary 12.10.2, 
we have 


r r Pln+l Pin _ (-1) (2 ” +1) 1 _ 1 

C 2«+l - L ln = = = • 

^2n+l Qln Qln+lQln Qln+lQln 

Because q k >k for all positive integers k (see Exercise 11 of Section 12.2), we know 
that 

1 1 

Qin+iQin < (2n + l)(2n) ’ 

and, hence, 


C 2n + 1 ~ C 2n = 


1 

^2n+1^2n 


tends to zero, that is, 


n lim(C 2B+1 - C 2n ) = 0. 

Hence, the sequences C h C 3 , C5, . . . and C 0 , C 2 , C 4 , . . . have the same limit, because 


, 1 5So (Cj »+> “ c&) = ,“Sb C2 " +1 “ = °- 

Therefore, a 1 = a 2 , and we conclude that all the convergents tend to the limit a = a 1 = 
a 2 . This finishes the proof of the theorem. ■ 
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Previously, we showed that rational numbers have finite simple continued fractions. 
Next, we will show that the value of any infinite simple continued fraction is irrational. 


Theorem 12.14. Let a 0 , a h a 2 , . . . be integers with a h a 2 , . . . positive. Then [a 0 ; a h 
a 2 , . . .] is irrational. 

Proof. Let a = [a 0 \ a h a 2 , . . .], and let 

c k = Pk/Qk = [«o; a b a 2 , ... a k ] 

denote the kth convergent of a. When n is a positive integer, Theorem 12.13 shows that 
C 2n < a < C 2n+h so that 

0 < a - C 2n < C 2n+ 1 - C 2n . 

However, by Corollary 12.10.2, we know that 


which means that 


Qln+lQln 


Qln Qln+lQln 


and, therefore, we have 


0 < <xq 2n ~ Pin < • 

tf2n+l 

Assume that a is rational, so that a = a/b, where a and b are integers with b Then 


0<^-p 2 „<- 

b Qln 

i by multiplying this inequality by b, we see that 


0 < aq 2n - bp 2n < - 


<l2n+\ 


Note that aq 2n — bp 2n is an integer for all positive integers n. However, because q 2n+ \ > 
2 n + 1, for each integer n there is an integer n 0 such that qm 0 + 1 > b, so that b/ q 2 n 0 + 1 < 1- 
This is a contradiction, because the integer aq 2rtQ — bp 2nQ cannot be between 0 and 1. 
We conclude that a is irrational. ■ 


We have demonstrated that every infinite simple continued fraction represents an 
irrational number. We will now show that every irrational number can be uniquely 
expressed by an infinite simple continued fraction, by first constructing such a continued 
fraction, and then by showing that it is unique. 


Theorem 12.15. Let a =a 0 be an irrational number, and define the sequence 
a 0 , a h a 2 , . . . recursively by 

«* = [«*] «*+i = 1/K - a k ) 
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for k = 0, l, 2, ... . Then a is the value of the infinite simple continued fraction 
[a 0 ;a h a 2 , . . .]. 

Proof. From the recursive definition of the integers a k , we see that a k is an integer for 
every k. Furthermore, using mathematical induction, we can show that a k is irrational 
for every nonnegative integer k and that, as a consequence, a k +i exists. First, note that 
a 0 = a is irrational, so that a 0 ? -a 0 = [or 0 ] and aq = l/(a 0 — a 0 ) exists. 

Next, we assume that a k is irrational. As a consequence, a k+l exists. We can easily 
see that a k+l is also irrational, because the relation 

(*k + 1 = !/(<** - a k ) 

implies that 

( 12 . 12 ) a k =a k -\ , 

<**+i 

and if a k+l were rational, then a k would also be rational. Now, because a k is irrational 
and a k is an integer, we know that a k a k , and 

a k <a k <a k + 1, 

so that 


0<a k -a k <l. 

Hence, 

= l/(«* ~a h )>\ 

and, consequently, 

a k + 1 = > 1 

for k = 0, 1, 2, ... . This means that all the integers a\, a 2 , ■ ■ ■ are positive. 
Note that by repeatedly using (12.12), we see that 

1 r 

a = a 0 = a 0 -\ = [a 0 ;a l \ 

«i 

= «0 -\ j - = [ fl 0» a b a l\ 

a \ H 

«2 


= a 0 H — [a 0 ; a h a 2 , ■ ■ ■ , a k , a^+i]. 

H 

« 2 + 

+ a k H 

a k + 1 
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What we must now show is that the value of [a Q \ a h a 2 , ■ ■ . , a k , a^ +1 ] tends to a as k 
tends to infinity, that is, as k grows without bound. By Theorem 12.9, we see that 

r a k+lPk + Pk - 1 

a = [a 0 ; a h . . . , a k , a k+l ] = , 

a k+i4k + Qk-\ 

where C ; = Pj/qj is the y'th convergent of [a Q \ a h a 2 , . . .]. Hence, 

„ a k+lPk + Pk-l Pk 

(X — C, k = — — 

a k+iqk + Qk-\ Qk 

_ -iPkQk-i - Pk-iQk ) 

+ qk-i)Qk 

+ qk-Mk 

where we have used Theorem 12.10 to simplify the numerator on the right-hand side of 
the second equality. Because 

a k+lQk + Qk - 1 > a k+l4k + Qk-l = 4k+b 


we see that 


\a - C k | < — - — . 

qkqk+i 

Because q k >k (from Exercise 1 1 of Section 12.2), we note that 1/ (q k qk+ 1 ) tends to zero 
as k tends to infinity. Hence, C k tends to a as & tends to infinity or, phrased differently, 
the value of the infinite simple continued fraction [a Q \ a h a 2 , . . .] is a. m 

To show that the infinite simple continued fraction that represent an irrational 
number is unique, we prove the following theorem. 


Theorem 12.16. If the two infinite simple continued fractions [a 0 ; cq, a 2 , . . .] and 
[Z? 0 ; b\, b 2 , . . .] represent the same irrational number, then a k = b k for k = 0, 1, 2, . . . . 

Proof. Suppose that a = [a 0 ; a h a 2 , . . .]. Then, because C 0 = a 0 and Q = a 0 + l/a h 
Theorem 12.11 tells us that 


a 0 < a < a 0 + 1 /a h 
so that a 0 = [a]. Further, we note that 


[a 0 ; a h a 2 , . . .] = a 0 + 


[«i; a 3’ • • •] 


because 
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a = [a 0 ; a h a 2 , . . .] = lim [a Q -, a h a 2 , , a k ] 


= lim (a 0 + - -) 

k^oo\ [ai,a 2 ,a 3 ,...,a k \J 

1 


= a o + ~ 

= a 0 + 


lim [ai, a 2 , , a k ] 
1 


Suppose that 


Our remarks show that 


[fli; a 2 , a 3 , . . .] 
[a 0 ; a h a 2 , . . .] = [ b 0 ; b h b 2 , . . .]. 


a o = b 0 = [a] 


a 0 + 


1 


= bo+ - 


1 


so that 


[au a 2 , . . .] [ bi, b 2 , . . .] 

[a\,a 2 , . . .]=[bi,b 2 , . . .]. 


Now, assume that a*. = b k , and that [a k+ \, a k+2 , . . .] = [ b k+ \, \ b k+2 , . . .]. Using the same 
argument, we see that a k+ i = b k+l , and 

1 I 1 

a k+\ + 7 — b k + 1 + — 

i a k+ 2> a k+3> ■ ■ ■] L b k+ \ ; b k+ 3 , . . .] 

which implies that 


[ a k+ 2> a k+ 3 • • •] — \b k+2 , b k+3 , . . .]. 

Hence, by mathematical induction, we see that a k = b k for k = 0, 1, 2, ■ 

To find the simple continued fraction expansion of a real number, we use the 
algorithm given in Theorem 12.15. We illustrate this procedure with the following 
example. 


Example 12.10. Let a = \/6. We find that 


flo = [V6] = 2, 

«1 = 

r s/6 + 2~i 


“' = [ 2 H 

«2 = 

a 2 = y 6 + 2] = 4, 

«3 = 


\/6 + 2 


\/6 — 2 2 ’ 

- = V6 + 2, 


(^ t 2)-2 

1 

(V6 + 2) - 


V6 + 2 


2 


= «!• 
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Because a 3 = a h we see that a 3 = a h a 4 = a 2 , . . . , and so on. Hence, 

V6 = [2; 2, 4, 2, 4, 2, 4, . . .]. 

The simple continued fraction of \/6 is periodic. We will discuss periodic simple con- 
tinued fractions in the next section. ◄ 

The convergents of the infinite simple continued fraction of an irrational number are 
good approximations to a. This leads to the following theorem, which we introduced in 
Exercise 34 of Section 1.1. 

Theorem 12.17. Dirichlet’s Theorem on Diophantine Approximation. If a is an 
irrational number, then there are infinitely many rational numbers p/q such that 

\oc- p/q\ < l/q 2 . 

Proof. Let Pk/qk be the kth convergent of the continued fraction of a. Then, by the 
proof of Theorem 12.15, we know that 

I « “ Pk/<lk l< V(Mk+\)- 

Because q k < qk+b it follows that 

I « - Pk/Qk l< 1 /Qk- 

Consequently, the convergents of a, Pk/q& & = 1, 2, . . . , are infinitely many rational 
numbers meeting the conditions of the theorem. ■ 

The next theorem and corollary show that the convergents of the simple continued 
fraction of a are the best rational approximations to a, in the sense that Pk/qk is closer 
to a than any other rational number with a denominator less than q k . (See Exercise 17 
for the best rational approximations to a real number for all denominators.) 

Theorem 12.18. Let a be an irrational number and let Pj/qj, j = 1, 2, . . . , be the 
convergents of the infinite simple continued fraction of a. If r and s are integers with 
s > 0 and if k is a positive integer such that 

\sa-r\ < | qjfl - p k |, 


then s > qk+i- 

Proof. Assume that Isa — r| < \q k a — p k \, but that 1 < s < qk+b We consider the 
simultaneous equations 

Pk x + = r 

Qk x + Qk+iy = s • 

By multiplying the first equation by q k and the second by p k , and then subtracting the 
second from the first, we find that 


(Pk+tfk ~ Pk<lk+i)y = rq k ~ sp k - 
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By Theorem 12.10, we know that p k+1 q k - PkQk+i = (-1)*, so that 
y = (— \) k (rq k - spk). 

Similarly, multiplying the first equation by q k+ i and the second by p k+ \, and then 
subtracting the first from the second, we find that 

x = (-l) k (sp k+ i-rq k+ i). 

We will now show that 0 and y ^ 0. If x = 0, then sp k+i = rq k+l . Because 
(Pk+i, q k + 1 ) = L Lemma 3.4 tells us that q k +i\s, which implies that q k+ \ < s, contrary 
to our assumption. If y = 0, then r = p k x and s = q k x, so that 

\sa -r | = \x\ | q k a - p k \ > \q k a - p k \, 
because |jc | > 1, contrary to our assumption. 

Next, we show that x and y have opposite signs. First, suppose that y < 0. Because 
q k x = s — q k +\y, we know that jc > 0, because q k x > 0 and q k > 0. When y > 0, because 
Qk+iy > Qk+ 1 > s, we see that q k x=s - q k+ iy < 0, so that x < 0. 

By Theorem 12.11, we know that either p k /<lk < a < Pk+i/Qk+i or that 
Pk+i/Qk+i < a < Pk/Qk ■ hi either case, we easily see that q k a - p k and q k+ - p k+l 
have opposite signs. 

From the simultaneous equations we started with, we see that 
— r\ = \(q k x + q k+ x y)a - (p k x + p k+x y)\ 

= I x(q k a - p k ) + y(qk+i a ~ Pk+ i)l- 

Combining the conclusions of the previous two paragraphs, we see that x(q k a — p k ) and 
y(q k +i a ~ Pk+0 have the same sign, so that 

\sa - r\ = |x| \q k a - p k | + |y| \q k+1 a - p k+i \ 

> |x| \q k a - p k | 

> \q k a-p k \, 

because \x\ > 1. This conlradicts our assumption. 

We have shown that our assumption is false, and, consequently, the proof is com- 
plete. ■ 

Corollary 12.18.1. Let a be an irrational number and let Pj/qj, j = 1, 2, . . . , be the 
convergents of the infinite simple continued fraction of a. If r/s is a rational number, 
where r and s are integers with s > 0, and if & is a positive integer such that 

\a -r/s\<\a - p k /q k \, 

then s > q k . 

Proof. Suppose that s <q k and that 


\a-r/s\ < \a-p k /q k \. 
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By multiplying these two inequalities, we find that 

j|a - r/s\ < q k \a - p k /q k \, 

so that 


|5« -r| < \q k a- p k \, 

violating the conclusion of Theorem 12.18. ■ 

Example 12.11. The simple continued fraction of the real number it is it = [3; 7, 15, 
1, 292, 1, 1, 1, 2, 1, 3, . . .]. Note that there is no discernible pattern in the sequence 
of partial quotients. The convergents of this continued fraction are the best rational 
approximations to tt. The first five are 3, 22/7, 333/106, 355/113, and 103,993/33,102. 
We conclude from Corollary 12.18.1 that 22/7 is the best rational approximation of it 
with denominator less than or equal to 105, and so on. ◄ 

Finally, we conclude this section with a result that shows that any sufficiently close 
rational approximation to an irrational number must be a convergent of the infinite simple 
continued fraction expansion of this number. 

Theorem 12.19. If a is an irrational number and if r/s is a rational number in lowest 
terms, where r and .s' are integers with s > 0 such that 

\a-r/s\ < 1/(2 s i 2 ), 

then r/s is a convergent of the simple continued fraction expansion of a. 

Proof. Assume that r/s is not a convergent of the simple continued fraction expansion 
of a. Then there are successive convergents p k /q k and p k+ \/q k+ \ such that q k <s< q k+ \. 
By Theorem 12.18, we see that 

\9kO~Pk I < \sa-r\=s\a-r/s\ < 1/(2 s). 

Dividing by q k , we obtain 


l« “ Pk/4k\ < V( 2 s q k )- 

Because we know that \sp k — rq k \ > 1 (we know that sp k — rq k is a nonzero integer 
because r/s 7^ p k /q k ), it follows that 

1 < \sp k -rq k \ 

sq k ~ sq k 

= I— - -I 

I qk s\ 

i p k \ I r I 

< a - — + a 

1 q k I I s\ 

1 j_ 

2 sq k Is 2 
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(where we have used the triangle inequality to obtain the second inequality). Hence, we 
see that 

1/2*9* < 1/2* 2 . 

Consequently, 

2 sq k > 2s 2 , 

which implies that q k > s, contradicting the assumption. ■ 

Applying Continued Fractions to Attack the RSA Cryptosystem We can use a 
version of Theorem 12.19 for rational numbers to explain why an attack on certain 
implementations of RSA ciphers works. We leave it as an exercise to prove that this 
version of Theorem 12.19 is valid. 

Theorem 12.20. Wiener’s Low Encryption Exponent Attack on RSA. Suppose that 
n = pq, where p and q are odd primes with q < p <2q, and that d < n x ^/3. Then, 
given an RSA encryption key (e, n), the decryption key can be found using O ((log n) 3 ) 
bit operations. 

Proof. We will base the proof on approximation of a rational number by continued 
fractions. First, note that because de = 1 (mod 0(n)), there is an integer k such that 
de — 1 = k(f)(n). Dividing both sides of this equation by d(pin), we find that 

e 1 _ k 

4> {n) ~ d(f){n) ~ d ’ 

which implies that 

e _ k 1 

(pin) d d(p(n ) 

This shows that the fraction k/d is a good approximation of e/0 (n). 

Note also that q < «Jn, because q < p and n = pq by the hypotheses of the theorem. 
Using the hypothesis that q < p, it follows that 

p + q — l<2q+q — \ = 3q — \ < 3 *Jn. 

Because <p(n) = n - p - q + 1, we see that n - (pin) = n- in - p- q + l) = p + 
q — 1 < 3y/n. 

We can make use of this last inequality to show that k/d is an excellent approxima- 
tion of e/n. We see that 

I e k I _ I de — kn I 
| n d | | nd \ 

_ I ide — k(pin)) - ikn + k(pin)) I 
I nd I 

_ 1 1 — kin — (pin)) I < 3ky/n _ 3k 
j nd \— nd d^/n 
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Because e < 0(n), we see that ke < k(f)(n) = de — 1 < de. This implies that k < d. We 
now use the hypothesis that d < n^ 4 /3 to see that k < n l ^/3. 

It follows that 

I e k\ 3 ky/n < 3(n^ 4 /3)y/n _ 1 1 

| n d\— ltd ~ nd dn Id 2 

We now use the version of Theorem 12.19 for rational numbers. By this theorem, we 
know that k/d is a convergent of the continued fraction expansion oie/n. Note also that 
both e and n are public information. Consequently, to find k/d we need only examine 
the convergents oie/n. Because k/d is a reduced fraction, to check each convergent to 
see whether it equals k/d, we suppose that its numerator equals k. We then use this value 
to compute 4>(n), because 0(n) = (de - 1 )/k. We use this purported value of </>(«) and 
the value of n to factor n (see the discussion in Section 8.4 to see how this is done). 
Once we have found k/d, we know d because k/d is a reduced fraction and d is its 
denominator. To see that k/d is reduced, note that ed - k(f)(n ) = 1, which implies, by 
Theorem 3.8, that (d, k) = 1. Because computing all convergents of a rational number 
with denominator n uses O ((log n) 3 ) bit operations, we see that d can be found using 
O ((log n) 3 ) bit operations. ■ 


12.3 Exercises 

1. Find the simple continued fractions of each of the following real numbers. 

a)V2 b) y/3 c)V5 d)(l + V5)/2 

2. Find the first five partial quotients of the simple continued fractions of each of the following 
real numbers. 

a) b) 2 tt c) (e - \)/(e + 1) d) (e 2 - l)/(e 2 + 1) 

3. Find the best rational approximation to it with a denominator less than or equal to 100,000. 

4. The infinite simple continued fraction expansion of the number e is 

e = [2; 1, 2, 1, 1, 4, 1, 1, 6, 1, 1, 8, . . .]. 

a) Find the first eight convergents of the continued fraction of e. 

b) Find the best rational approximation to e having a denominator less than or equal to 536. 

* 5. Let a be an irrational number with simple continued fraction expansion a = [a 0 ; a h 

a 2 , . . .]• Show that the simple continued fraction of —a is [-a 0 - 1; 1, — 1, a 2 , 

a 3 , . . .] if flj > 1 and [-a 0 — 1; a 2 + 1, a 3 , . . .] if aj = 1. 

* 6. Show that if pjqk and Pk+ i/Qk+i are consecutive convergents of the simple continued 

fraction of an irrational number a, then 

l« - Pk/<lk\ < V(2 ql) 


or 


l« - Pk+i/<lk + ll < V(2^+i)- 
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{Hint: First show that | a - p k+ i/q k+l \ + \a - p k /q k \ = \p k+ i/q k+i - p k /q k \ = 
l/(M+i)-) 

>- 7. Let a be an irrational number a > 1. Show that the kth convergent of the simple continued 

fraction of 1/a is the reciprocal of the {k — l)th convergent of the simple continued fraction 
of a. 

* 8. Let a be an irrational number and let pj / qj denote the j th convergent of the simple continued 

fraction expansion of a. Show that at least one of any three consecutive convergents satisfies 
the inequality 


l« - Pj/9j\ < 1/(V5 qp. 

Conclude that there are infinitely many rational numbers p/q, where p and q are integers 
with q ^ 0, such that 


\a-p/q\ < 1/(a/5« q 2 ). 


* 9. Show that if a = (1 + >/5)/2, and c > >/5, then there are only a finite number of rational 

numbers p/q, where p and q are integers, q ^ 0, such that 

\a-p/q\ < \/{cq 2 ). 

{Hint: Consider the convergents of the simple continued fraction expansion of V5-) 

If a and /J are two real numbers, we say that y3 is equivalent to a if there are integers a, b, c, and 
d such that ad — be = ± 1 and y3 = . 

10. Show that a real number a is equivalent to itself. 

11. Show that if a and y3 are real numbers with y3 equivalent to a , then a is equivalent to y3 . Hence, 
we can say that two numbers a and y3 are equivalent. 

12. Show that if a, j3, and A are real numbers such that a and y3 are equivalent and y3 and A are 
equivalent, then a and A are equivalent. 

13. Show that any two rational numbers are equivalent. 

* 14. Show that two irrational numbers a and ft are equivalent if and only if the tails of then- 

simple continued fractions agree, that is, if a = [ a 0 ; a h a 2 , , aj, c h c 2 , c 3 , . . .], yS = 
[b 0 ; b h b 2 , . . . , b k , cj, c 2 , c 3 , . . .], where a it i = 0, 1, 2, . . . , j; b h i = 0, 1, 2, . . . , k’, and 
c h i = 1, 2, 3, . . . are integers, all positive except perhaps a 0 and b 0 . 

Let a be an irrational number, and let the simple continued fraction expansion of a be a = 
[a 0 ; fli, « 2 , • • •]• Let p k /q k denote, as usual, the kth convergent of this continued fraction. We 
define the pseudoconvergents of this continued fraction to be 

Pk,tl<lk,t = (tPk - 1 + Pk-2)/( t( lk-l + <lk-2)> 
where k is a positive integer, k > 2, and t is an integer with Oct <a k . 

15. Show that each pseudoconvergent is in lowest terms. 

* 16. Show that the sequence of rational numbers p k ^/qk, 2 ^ • • • > Pk,a t -J ^k,a k _^ Pk/qk is increas- 

ing if k is even, and decreasing if k is odd. 
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* 17. Show that if r and s are integers with s > 0 such that 

\a - r/s\ < \a - Pt,tl9k,tl 

where A: is a positive integer and 0 < t < a k , then s > q kt or r/s = p k -\/<lk-\- This shows 
that the closest rational approximations to a real number are the convergents and pseudocon- 
vergents of its simple continued fraction. 

18. Find the pseudoconvergents of the simple continued fraction of tt for k = 2. 

19. Find a rational number r/s that is closer to tt than 22/7 with denominator s less than 106. 
(Hint: Use Exercise 17.) 

20. Find the rational number r/s that is closest to e with denominator s less than 100. 

21. Show that the version of Theorem 12.19 for rational numbers is valid. That is, show that if 
a,b,c, and d are all integers with b and d nonzero, (a, b) = (c, d) = 1, and 

la cl 1 

\b~d\ < 2cP' 

then c/d is a convergent of the continued fraction expansion of a/b. 

22. Show that computing all convergents of a rational number with denominator n can be done 
using 0((log n) 3 ) bit operations. 

Computations and Explorations 

1. Compute the first 100 partial quotients of each of the real numbers in Exercise 2. 

2. Compute the first 100 partial quotients of the simple continued fraction of e 2 . From this, find 
the rule for the partial quotients of this simple continued fraction. 

3. Compute the first 1000 partial quotients of the simple continued fraction of n. What is the 
largest partial quotient that appears? How often does the integer 1 appear as a partial quotient? 

Programming Projects 

1. Given a real number x, find the simple continued fraction of x. 

2. Given an irrational number x and a positive integer n, find the best rational approximation to 
x with denominator not exceeding n. 


12.4 Periodic Continued Fractions 

In this section, we study infinite continued fractions that are periodic. We will show that 
an infinite continued fraction is periodic if and only if the real number it represents is a 
quadratic irrationality. We begin with a definition. 

Definition. Periodic Continued Fractions. We call the infinite simple continued 
fraction [a 0 ; a j, a 2 , . . ^periodic if there are positive integers N and k such thata„ = a n+k 
for all positive integers n with n > N. We use the notation 


[a 0 ; • ■ ■ > a N-b a N > a N+k-l\ 
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to express the periodic infinite simple continued fraction 

[a 0 ; a h a 2 , . . . , a N _ h a N , a N+h . . . , a N+k _ h a N , a N+h . . .]. 

For instance, [1; 2, 3, 4] denotes the infinite simple continued fraction [1; 2, 3, 
4, 3, 4, 3, 4, . . .]• 

In Section 12.1, we showed that the base b expansion of a number is periodic if and 
only if the number is rational. To characterize those irrational numbers with periodic 
infinite simple continued fractions, we need the following definition. 

Definition. Quadratic Irrationalities. The real number a is said to be a quadratic 
irrationality if a is irrational and is a root of a quadratic polynomial with integer 
coefficients, that is, 

Act 2 + Ba + C = 0, 

where A, B, and C are integers and A ^0. 

Example 12 . 12 . Let a = 2 + V3. Then a is irrational, for if a were rational, then by 
Exercise 3 of Section 1.1, a — 2 = a/ 3 would be rational, contradicting Theorem 3.18. 
Next, note that 

a 2 - Act + 1 = (7 + 4\/3) - 4(2 + V3) + 1 = 0. 

Hence, a is a quadratic irrationality. ◄ 

We will show that the infinite simple continued fraction of an irrational number is 
periodic if and only if this number is a quadratic irrationality. Before we do this, we first 
develop some useful results about quadratic irrationalities. 

Lemma 12 . 1 . The real number a is a quadratic irrationality if and only if there are 
integers a, b, and c with b > 0 and c ^ 0 such that b is not a perfect square and 

a = (a + y/b)/c. 

Proof. If a is a quadratic irrationality, then a is irrational, and there are integers A, B, 
and C such that Aa 1 + Ba + C = 0. From the quadratic formula, we know that 

—B ± JB 2 - 4 AC 

a = . 

2 A 

Because a is a real number, we have B 2 — 4 AC >0, and because a is irrational, 
B 2 — 4 AC is not a perfect square and A / 0. By either taking a = —B, b = B 2 — 4 AC, 
and c = 2A, or a = B , b = B 2 — 4 AC , and c = - 2 A , we have our desired representation 
of a. 

Conversely, if 

a = (a + Vb)/c, 
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where a, b, and c are integers with b > 0, c 0, and b not a perfect square, then by 
Exercise 3 of Section 1.1 and Theorem 3.18, we can easily see that a is irrational. 
Furthermore, we note that 

c 2 a 2 — lac a + ( a 2 - b) = 0 , 

so that a is a quadratic irrationality. ■ 

The following lemma will be used when we show that periodic simple continued 
fractions represent quadratic irrationalities. 

Lemma 12.2. If a is a quadratic irrationality and if r, s,t, and u are integers, then 
(ra + s)/(ta + u) is either rational or a quadratic irrationality. 

Proof. From Lemma 12.1, there are integers a, b, and c with b > 0, c 0, and b not a 
perfect square, such that 

a = (a + Vb)/c. 

Thus, 

ra + 5 _ r(a + Vb) | 1 j[ t(a + y/b) | 1 

ta + u L c J/ L c \ 

_ ( ar + cs ) + rsfb 
(at + cm) + tsfb 

_ [(ar + cs) + rVb][(at + cm) - tVb ] 

[(at + cm) + tVb][(at + cm) - tVb ] 

[(ar + cs)(at + cm) - rtb] + [r(at + cm) - t(ar + cs)]Vb 
(at + cu ) 2 — t 2 b 

Hence, by Lemma 12.1, (ra + s)/(ta + u) is a quadratic irrationality, unless the coef- 
ficient of y/b is zero, which would imply that this number is rational. ■ 

In our subsequent discussions of simple continued fractions of quadratic irrational- 
ities, we will use the notion of the conjugate of a quadratic irrationality. 

Definition. Let a = (a + y/b) / c be a quadratic irrationality. Then the conjugate of a , 
denoted by a', is defined by a' = (a — yfb)/c. 

Lemma 12.3. If the quadratic irrationality a is a root of the polynomial Ax 2 + Bx + 
C = 0, then the other root of this polynomial is a', the conjugate of a. 

Proof. From the quadratic formula, we see that the two roots of Ax 2 + Bx + C = 0 
are 

-B ± y/B 2 - 4 AC 
2A ' 

If a is one of these roots, then a' is the other root, because the sign of y/B 2 — 4 AC is 
reversed to obtain a' from a. ■ 
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The following lemma tells us how to find the conjugates of arithmetic expressions 
involving quadratic irrationalities. 

Lemma 12.4. If a x = (a± + byjd) fc\ and a 2 = ( a 2 + b 2 Vd) /c 2 are rational numbers 
or quadratic irrationalities, then 

(i) («! + a 2 )' = a[ + a' 

(ii) (aj - a 2 y = a[ - a' 2 

(iii) (a\a 2 )' = a[a’ 2 

(iv) (a l /a 2 y = a[/a' 2 . 

The proof of (iv) will be given here; the proofs of the other parts are easier and appear 
at the end of this section as problems for the reader. 

Proof of (iv). Note that 


= (a i + Vfr/ci 
(a 2 + b 2 Vd)/c 2 
_ c 2 (a x + b l Jd)(a 2 - b 2 Vd) 
ci(a 2 + b 2 Vd)(a 2 - b 2 \[d) 

_ (c 2 a\a 2 — c 2 bf) 2 d) + (c 2 a 2 bi — c 2 af) 2 )\fd 
Ci(a 2 — b 2 d ) 


whereas 


, ,, _ (ai - b 1 yfd)/c 1 

l ' 2 (02 ~ b 2 Vd)/c 2 

= c 2 (a x - biVd)(a 2 + b 2 Vd) 

C\(a 2 - b 2 -J~d) (a 2 + b 2 Vd) 

_ (c 2 aia 2 — c 2 bib 2 d) — (c 2 a 2 bi — c 2 af> 2 )\fd 
ci(a 2 — b 2 d) 


Hence, (q' 1 /q' 2 ) / = a'Ja 2 . ■ 

The fundamental result about periodic simple continued fractions is called La- 
grange’s theorem (although part of the theorem was proved by Euler). (Note that this 
theorem is different from Lagrange’s theorem on polynomial congruences discussed in 
Chapter 9. In this chapter, we do not refer to that result) Euler proved in 1737 that a 
periodic infinite simple continued fraction represents a quadratic irrationality. Lagrange 
showed in 1770 that a quadratic irrationality has a periodic continued fraction. 

Theorem 12.21. Lagrange ’s Theorem. The infinite simple continued fraction of an 
irrational number is periodic if and only if this number is a quadratic irrationality. 
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We first prove that a periodic continued fraction represents a quadratic irrationality. 
The converse, that the simple continued fraction of a quadratic irrationality is periodic, 
will be proved after a special algorithm for obtaining the continued fraction of a quadratic 
irrationality is developed. 

Proof. Let the simple continued fraction of a be periodic, so that 
a = [a 0 ; a h a 2 , . . . a N _ h a N , a N+h . . . , a#+fc]- 

Now, let 

P = [a N ; a N+h . . . , a N+k \. 


Then 


P = [a N \ a N+ i, ■ ■ ■ , fliv+fe, PI 

and by Theorem 12.9, it follows that 


(12.13) 


PPk + Pk-l 
PQi k + Qk - 1 


where p k /q k and Pt-i/Qk-i are convergents of [a N ; a N+h . . . , a N+k ]. Because the 
simple continued fraction of P is infinite, P is irrational, and by (12.13), we have 

QkP 2 + (tfifc-i ~ Pk)P ~ Pk-l = 0, 


so that p is a quadratic irrationality. Now, note that 

a = [a 0 ;a h a 2 , . . . , a N _ h PI 
so that, from Theorem 12.1 1, we have 

a _ PPN-l + PN—2 

P<1n- 1 + Qn-2 

where Pn-\/<1n-\ and Pn- 2 /Qn- 2 are convergents of [a 0 ;a h a 2 , . . . , Because^ 

is a quadratic irrationality, Lemma 12.2 tells us that a is also a quadratic irrationality (we 
know that a is irrational because it has an infinite simple continued fraction expansion). 


The following example shows how to use the proof of Theorem 12.21 to find the 
quadratic irrationality represented by a periodic simple continued fraction. 


Example 12.13. Let x = [3; 1, 2]. By Theorem 12.21, we know that x is a quadratic 
irrationality. To find the value of x, we let x = [3; y], where y = [1 ; 2], as in the proof of 
Theorem 12.21. We have y = [1; 2, y], so that 


1 + 


1 



3y + 1 
2 y + f 
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It follows that 2y 2 — 2y — 1 = 0. Because y is positive, by the quadratic formula, we 
have y = Because x = 3 + y, we have 


x — 3 + 


2 

1+ V3 


= 3 + 


2- V3 
-2 


4 + V3 
2 


◄ 


To develop an algorithm for finding the simple continued fraction of a quadratic 
irrationality, we need the following lemma. 

Lemma 12.5. If a is a quadratic irrationality, then a can be written as 
a = (P + Vd)/Q, 

where P, Q, and d are integers, Q ^ 0, d > 0, d is not a perfect square, and Q \ (d — P 2 ). 
Proof. Because a is a quadratic irrationality, Lemma 12.1 tells us that 
a = (a + Vb)/c, 

where a, b, and c are integers, b > 0, and c^0. We multiply both the numerator and 
the denominator of this expression for a by |c| to obtain 

a\c\ + y/bc 2 

a = 

c\c\ 

(where we have used the fact that |c| = Vc*). Now, let P = a\c\, Q = c\c\, and d = be 2 . 
Then P, Q, and d are integers, <2^0, because c 0, d > 0 (because b > 0), d is not 
a perfect square because b is not a perfect square, and, finally, Q\(d — P 2 ) because 
d — P 2 = be 2 — a 2 c 2 = c 2 {b — a 2 ) = ±Q(b — a 2 ). m 

We now present an algorithm for finding the simple continued fractions of quadratic 
irrationalities. 


Theorem 12.22. Let a be a quadratic irrationality, so that by Lemma 12.5 there are 
integers P 0 , Q 0 , and d such that 

« = (/> 0 + V5j/fio. 

where Q 0 7 ^ 0, d > 0, d is not a perfect square, and Qa\(d — Pfi). Recursively define 

= (h + V / d)/Q k , 

= [<*kl 

p k+i = a kQk - Pk’ 

Qk+\ = <A- P? +1 )/Qt. 

for k = 0, 1, 2, Then a = [a 0 ; a 1 , . . .]. 

Proof. Using mathematical induction, we will show that P k and are integers with 
Q k ^0 and Qk\(d — P£), for k = 0, 1, 2, ... . First, note that this assertion is true for 
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k = 0 from the hypotheses of the theorem. Next, assume that P k and Q k are integers with 
Qk^O and Q k \(d - P%). Then, 

p k + i = a kQk ~ p k 

is also an integer. Further, 

Qk+i = (.d-Pt +l )/Q k 

= [d~ ( a k Q k - Pk) 2 ]/ Qk 
= (d- P k )/Qk + (2 a k P k ~ a kQk)- 

Because Q k \(d — P k ), by the induction hypothesis we see that Q k+ \ is an integer, and 
because d is not a perfect square, we see that d ^ p£, so that Q k +i = (d — P k+ 1 >/ Qk / o. 
Because 

Qt = (d- ^ 2 +1 )/e i+ i, 

we can conclude that Q k+ \\(d — P^ +1 ). This finishes the inductive argument. 

To demonstrate that the integers a 0 , a h a 2 , . . . are the partial quotients of the simple 
continued fraction of a, we use Theorem 12.15. If we can show that 

<x k + 1 = V(a* “ a k ). 


for k = 0, 1, 2, . . . , then we know that a = [n 0 ; «i, a 2 , . . .]. Note that 


= [Vd-(a k Qk-Pk)VQk 
= (Vd - P k +i)/Q k 

= (Vd - P k +i)(Vd + P k+ i )/ Qk(Vd + P k+ i) 
= (d-PZ +l )/(Qk(Vd + P k+ 1)) 

= QkQk+i/iQki^d + Pjt + i)) 

= Qk+i/(.^d + P k+ i) 

= l/a*+i. 


where we have used the defining relation for Q k +i to replace d — P^ +l with Q k Q k+ \- 
Hence, we can conclude that a = [n 0 ; «i, a 2 , . . .]. ■ 

We illustrate the use of the algorithm given in Theorem 12.22 with the following 
example. 

Example 12.14. Let a = (3 + a/ 7)/2. Using Lemma 12.5, we write 
a = (6 + V28)/4, 
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where we set Pq = 6, Qq = 4, and d = 28. Hence, a 0 =[a] = 2, and 
P x = 2 • 4 — 6 = 2, a x = (2 + V28)/6, 

<2i = (28 — 2 2 )/4 = 6, fll = [(2 + V28)/6] = 1, 

P 2 = 1 • 6 - 2 = 4, a 2 = (4 + >/28)/2 

e 2 = (28 - 4 2 )/6 = 2, fl 2 = [(4 + V28)/2] = 4, 

P 3 = 4 ■ 2 - 4 = 4, a 3 = (4 + V28)/6, 

<2 3 = (28 - 4 2 )/2 = 6 a 3 = [(4 + V28)/6] = 1, 

P 4 = 1 • 6 - 4 = 2, a 4 = (2 + >/28)/4, 

Q 4 = (28 - 2 2 )/6 = 4, a 4 = [(2 + V28)/4] = 1, 

P 5 = 1 • 4 - 2 = 2, a 5 = (2 + V28)/6, 

Q 5 = (28 - 2 2 )/4 = 6, a 5 = [(2 + >/28)/6] = 1, 

and so on, with repetition, because P x = P 5 and Q x = Q 5 . Hence, we see that 
(3 + V7)/2 = [2; 1 , 4, 1, 1, 1, 4, 1 , 1, . . .] 

= [2; 1, 4, 1, 1], < 

We now finish the proof of Lagrange’s theorem by showing that the simple continued 
fraction expansion of a quadratic irrationalities is periodic. 

Proof of Theorem 12.21 (continued). Let a be a quadratic irrationality, so that by 
Lemma 12.5, we can write a as 

ct = (P 0 + Vd)/Q 0 . 

Furthermore, by Theorem 12.20, we have a = [ a 0 ; a h a 2 , . . .], where 

a k = ( p k + Vd)/ Q k , 

a k = [a*], 

P k+\ = a kQk ~ P k’ 

Q t+ l = (.d-P^ +i )/Q t , 

for k = 0, 1,2,.... 

Because a = [ a 0 ; a h a 2 , ... , a k \ Theorem 12.11 tells us that 
a = (Pk-\ a k + Pk-2)/(<lk-\ a k + <lk- 2)- 

Taking conjugates of both sides of this equation, and using Lemma 12.4, we see that 
(12-14) a ' = (p k _ x a' k + p k _ 2 ) / (q k _ x a' k + q k - 2 ). 
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When we solve (12.14) for a' k , we find that 



Note that the convergents Pk-i/Qk-i an d Pk-\/<lk-\ tend to a as k tends to infinity, so 
that 




tends to 1. Hence, there is an integer N such that a' k < 0 for k > N. Because a k > 0 for 
k > 1, we have 


P k + Vd 
Qk 


P k -Vd = 2Vd ^ Q 

Qk Qk 


so that Q k > 0 for k > N. 

Because Q k Q k+ i = d — P k+V we see that for k> N, 


Qk - QkQk+1 = d- P k+l < d. 

Also for k > N, we have 


P k+i -d — P k+ i QkQk+b 

so that 


— Vd < P k+ i < Vd. 

From the inequalities 0 < Q k <d and —\fd < p k+\ < \fd, which hold for/: > N, we see 
that there are only a finite number of possible values for the pair of integers P k , Q k for 
k > N. Because there are infinitely many integers k with k> N, there are two integers 
i and j such that P t = Pj and Q t = Qj with i < j. Hence, from the defining relation 
for a k , we see that a, = otj. Consequently, we can see that a t = aj, a f+1 = aj +h a i+2 = 
cij + 2 , .... Hence, 

a = [a 0 ;ai, a 2 , . . . , a,-_ i, a { , a i+h . . . , aj_ h a it a i+h . . . , aj_ h . . .] 

= [a 0 ;a h a 2 , . . . , a { _ h a h a i+h aj_ x ]. 

This shows that a has a periodic simple continued fraction. ■ 


Purely Periodic Continued Fractions Next, we investigate those periodic simple 
continued fractions that are purely periodic, that is, those without a pre-period. 


Definition. The continued fraction [a 0 ; a 2 , . . .] is purely periodic if there is an 

integer n such that a k = a n+k , for k = 0, 1, 2, ... , so that 


[a 0 ;a h a 2 , . . .] = [a 0 ;a h a 2 , a 3 , , a n _i\. 
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Example 12.15. The continued fraction [2; 3] = (1 + V3)/2 is purely periodic, 
whereas [2; 2, 4] = \/6 is not. ◄ 

The next definition and theorem describe those quadratic irrationalities with purely 
periodic simple continued fractions. 

Definition. A quadratic irrationality a is called reduced if a > 1 and — 1 < a' < 0, 
where a' is the conjugate of a. 

Theorem 12.23. The simple continued fraction of the quadratic irrationality a is purely 
periodic if and only if a is reduced. Further, if a is reduced and a = [a 0 ; a h a 2 , , a n ], 
then the continued fraction of — 1/a' is [a n ;a n _ 1 , . . . , a 0 ]. 

Proof. First, assume that a is a reduced quadratic irrationality. Recall from Theorem 
12.18 that the partial fractions of the simple continued fraction of a are given by 

a k = [a k \, ot k+l = l/(a k - a k ), 

for k = 0, 1, 2, ... , where a 0 = a . We see that 

l/a k+ i = a k - a k, 

and by taking conjugates and using Lemma 12.4, we see that 
(12.15) l /< +1 = < -«*• 

We can prove, by mathematical induction, that — 1 < a' k < 0 for k = 0, 1, 2, ... . First, 
note that because a 0 = a is reduced, — 1 < < 0. Now, assume that — 1 < a' k < 0. Then, 

because a k > 1 for k = 0, 1, 2, . . . (note that a 0 > 1 because a > 1), we see from (12.15) 
that 


l/«i+i < - 1 ’ 

so that — 1 < a k+l < 0. Hence, — 1 < a' k < 0 for k = 0, 1, 2, ... . 
Next, note that from (12.15) we have 


a' k = a k + l/a' +1 , 

and because — 1 < a! k < 0, it follows that 

-1 <a k + l/a' +1 < 0. 


Consequently, 

-l-l/a' + i<a*<— l/a' + i, 


so that 


<*k = [“1/ai+J* 

Because a is a quadratic irrationality, the proof of Lagrange’s theorem shows that there 
are nonnegative integers i and j, i < j, such that a ( - = a j, and hence with —1/a' = 
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— 1/a'.. Because = [— 1/aj] and aj_j = [— 1/a'.], we see that a t _i = Further- 
more, because a,_! = a { _i + 1/a,- and &j-\ = a 7 _i + l/a ; -, we also see that a, _] = GCj-\- 
Continuing this argument, we see thata,-_ 2 = a ; -_ 2 , a ; -_ 3 = a 7 _ 3 , . . . , and, finally, that 
a 0 = Because 

a 0 = a = [a 0 ; a b . . . , a,-_i] 

= [«0’ a l> • • • » a j—i — b a o] 

= [floJfli, 

we see that the simple continued fraction of a is purely periodic. 


To prove the converse, assume that a is a quadratic irrationality with a purely pe- 
riodic continued fraction a = [a 0 ; a h a 2 , , a k ]. Because a = [a 0 ; cl\, a 2 , . . . , a k , a], 
Theorem 12.11 tells that 


(12.16) 


+ P*-i 

«9*+9*-r 


where Pk-ilQk-i and Pk/<lk are the (fc — l)th and kth convergents of the continued 
fraction expansion of a. From (12.16), we see that 

(12.17) q k <* 2 +(<lk-l- Pk)<x~ Pk-l = Q- 


Now let /J be the quadratic irrationality such that /J = [a k ;a k _ , a h a 0 ], that is, with 
the period of the simple continued fraction for a reversed. Then fi = [a k ;a k - 1 , . . . , a h 
a 0 , j3], so that by Theorem 12.1 1, it follows that 


(12.18) 


p = M + P'k-i 
Mk+Vk-l’ 


where p' k _ l /q k _ l and p' K /q k are the (k — l)th and kth convergents of the continued 
fraction expansion of fi. Note, however, from Exercise 10 of Section 12.2, that 

Pk/Pk-l = [<**; a k -i, ...,a h Oq] = p' k /q' k 


and 


Qk/Qk-% = W^k-b ■ ■ • . a 2 , flj = P'k-i/q'k- v 

Because p' k _ x lq' k _ x and p' k /q' k are convergents, we know that they are in lowest terms. 
Also, Pk/Pk-i and qk/qk- 1 are in lowest terms, because Theorem 12.12 tells us that 
Pkqk-i ~ Pk-m = (-1)* -1 - Hence, 

p'k = Pk * £ = Pk-\ 

and 


p' k -i = qk, q'k-i = <ik-b 

Inserting these values into (12.18), we see that 

p = PPk + qk 
PPk-i + qk-i 
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Therefore, we know that 

Pk-ifi 2 + (<lk - 1 - Pk)P - ft = 0- 

This implies that 

(12.19) ft(- l/Pf + (ft-, - P k K~l/P) - P k -t = 0. 

By (12.17) and (12.19), we see that the two roots of the quadratic equation 

Qk xl + (ft-i ~ Pk) x ~ Pk - 1 = 0 

are a and — 1/>8, so that by the quadratic equation, we have a' = — \/P- Because 
P = [a n ;a n _i, . . . , a h a Q ], we see that p > 1, so that — 1 < a' = — l/p < 0. Hence, a is 
a reduced quadratic irrationality. 

Furthermore, note that because P = — 1/a', it follows that 

- 1/a' = ■ • • , a h a 0 ]. B 

We now find the form of the periodic simple continued fraction of a/D , where D is 
a positive integer that is not a perfect square. Although \[D is not reduced, because its 
conjugate, —\[D, is not between -1 and 0, the quadratic irrationality [a/d] + *J~b is 
reduced because its conjugate, [a/d] — \f~D, does lie between — 1 and 0. Therefore, from 
Theorem 12.23, we know that the continued fraction of [a/d] + J~D is purely periodic. 
Because the initial partial quotient of the simple continued fraction of [a/d] + a J~D is 
[[Vd] + Vd] = 2[Vd] = 2a 0 , where a 0 = [Vfl], we can write 

[v^D] + y/D = [2a 0 ; a. i, ^2’ • • • > a n\ 

= [2 a 0 ; a h a 2 , ■ ■ ■ , a n , 2 a 0 , a h . . . , a n | 

Subtracting [a 0 = a/d] from both sides of this equality, we find that 

= [a 0 ; a\, a 2 , . . . , 2a 0 , a\, a 2 , . . . 2a 0 , . . .] 

= [a 0 \a h a 2 , ... ,a n , 2a 0 \. 

To obtain even more information about the partial quotients of the continued fraction 
of Vd, we note that from Theorem 12.23, the simple continued fraction expansion of 
- 1 /([Vd] - a/d) can be obtained from that for [\/d] + a /~D by reversing the period, 
so that 

V(-/D - [^]) = a,, 2a 0 ]. 

But also note that 

\[D — [a/d] = [0; a h a 2 , . . . , a n , 2 oq\, 
so that by taking reciprocals, we find that 


1/(a/d - [a/d]) = [ fll ; a 2 ,...,a n , 2a 0 \. 
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Therefore, when we equate these two expressions for the simple continued fraction of 
i/(Vb-[Vd]) , we obtain 


so that the periodic part of the continued fraction for \J~D is symmetric from the first to 
the penultimate term. 

In conclusion, we see that the simple continued fraction of \f~D has the form 
\T5 = [a 0 ; a h a 2 , . . . , a 2 , a h 2 a 0 ]. 

We illustrate this with some examples. 

Example 12.16. Note that 

\/23 = [4; 1, 3, 1, 8], 

V31 = [5, 1, 1, 3, 5, 3, 1, 1, 10], 

V46 = [6; 1, 2, 1, 1, 2, 6, 2, 1, 1, 2, 1, 12], 

V76 = [8; 1, 2, 1, 1, 5, 4, 5, 1, 1, 2, 1, 16], 

and 

V97 = [9; 1, 5, 1, 1, 1, 1, 1, 1, 5, 1, 18], 

where each continued fraction has a pre-period of length 1, and a period ending with 
twice the first partial quotient, which is symmetric from the first to the next-to-the-last 
term. ◄ 

The simple continued fraction expansions of \fd for positive integers d such that d 
is not a perfect square and d < 100 can be found in Table 5 of Appendix D. 


12.4 Exercises 

1. Find the simple continued fractions of each of the following numbers. 

a) V7 b) vTT c)V23 d) V47 e) V59 f) V94 

2. Find the simple continued fractions of each of the following numbers. 

a) Viol b) Vm c) vT 07 d) n/ 201 e) V203 f ) V209 

3. Find the simple continued fractions of each of the following numbers, 

a) 1 + a/ 2 b)(2 + V5)/3 c)(5-V7)/4 

4. Find the simple continued fractions of each of the following numbers. 

a)(l + V3)/2 b)(l4 + V37)/3 c)(l3-V2)/7 

5. Find the quadratic irrationality with each of the following simple continued fraction expan- 
sions, 
a) [2; 1,5] 


b) [2; 1, 5] 


c) [2; 1, 5] 
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6. Find the quadratic irrationality with each of the following simple continued fraction expan- 
sions. 

a) [1 ; 2, 3] b) [1; 273] c) [1-273] 

7. Find the quadratic irrationality with each of the following simple continued fraction expan- 
sions. 

a) [3; 6] b) [4; 8] c) [5; 10] d)[6;l2] 

8. a) Let d be a positive integer. Show that the simple continued fraction of y/d 2 + 1 is [d; 2d]. 

b) Use part (a) to find the simple continued fractions of 7 101, 7290, and -72210. 

9. Let d be an integer, d> 2. 

a) Show that the simple continued fraction of y/d 2 — 1 is [d — 1 ; 1, 2d - 2]. 

b) Show that the simple continued fraction of y/d 2 — d is [d - 1; 2, 2d - 2]. 

c) Use parts (a) and (b) to find the simple continued fractions of 799, VTlO, 7272, and 

7600. 

10. a) Show that if d is an integer, d > 3, then the simple continued fraction of y/d 2 — 2 is 

[d - 1 ; 1 , d - 2, 1 , 2d - 2]. 

b) Show that if d is a positive integer, then the simple continued fraction of y/d 2 + 2 is 
[d-J/2d). 

c) Find the simple continued fraction expansions of 747, V5l, and 7287. 

11. Let d be an odd positive integer. 

a) Show that the simple continued fraction of y/d 2 + 4 is [d; 

( d - l)/2, 1, 1, (4-1)/ 2, 2d], if d > 1. 

b) Show that the simple continued fraction of y/d 2 — 4 is [d — 1; 1, (d — 3)/2, 2, 
(d — 3)/2, l, 2d -2], if d > 3. 

12. Show that the simple continued fraction of y/d, where d is a positive integer, has period length 
one if and only if d = a 2 + 1, where a is a nonnegative integer. 

13. Show that the simple continued fraction of y/d, where d is a positive integer, has period length 
two if and only if d = a 2 + b, where a and b are integers, b > 1, and b\2a. 

14. Prove that ifc^ = (aj + b l y/d) /c x and a 2 = ( a 2 + b 2 yfd) /c 2 are quadratic irrationalities, then 
the following hold. 

a) (o'! + a 2 )' = «i + « 2 t>) («i “ <* 2 )' = “ «2 c ) = “i • «2 

15. Which of the following quadratic irrationalities have purely periodic continued fractions? 

a) 1 + 75 c) 4 + 717 e)(3 + 723)/2 

b) 2 + 78 d)(ll-7l0)/9 f) (17 + 7l88)/3 

16. Suppose that a = (a + yfb)/c, where a, b, and c are integers, b > 0, and b is not a perfect 
square. Show that oc is a reduced quadratic irrationality if and only if 0 < a < yfb and 
y/b — a < c < yfb + a < 27 b. 

17. Show that if a is a reduced quadratic irrationalities, then —\/a' is also a reduced quadratic 
irrationality. 
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* 18. Let k be a positive integer. Show that there are not infinitely many positive integers D, such 

that the simple continued fraction expansion of a/D has a period of length k. (Hint: Let a x = 
2, a 2 = 5, and for k > 3, let a k = 2 a k _ x + a k _ 2 . Show that if D = (ta k + l) 2 + 2 ta k _ x + 1, 
where t is a nonnegative integer, then ~/D has a period of length k + 1.) 

* 19. Let & be a positive integer. Let D k = (3* + l) 2 + 3. Show that the simple continued fraction 

of y/Dk has a period of length 6k. 

Computations and Explorations 

1. Find the simple continued fraction of V100,007, Vl>000,007, and ^/lO, 000, 007. 

2. Find the smallest positive integer D such that the length of the period of the simple continued 
fraction of a/D is 10, 100, 1000, and 10,000. 

3. Find the length of the largest period of the simple continued fraction of a/D, where D is a 
positive integer less than 1003, less than 10,000, and less than 100,000. Can you make any 
conjectures? 

4. Look for patterns in the continued fractions of a/D for many different values of D. 

Programming Projects 

* 1. Find the quadratic irrationality that is the value of a periodic simple continued fraction. 

2. Find the periodic simple continued fraction expansion of a quadratic irrationality. 


12.5 Factoring Using Continued Fractions 

We can factor the positive integer n if we can find positive integers x and y such that 
x 2 — y 2 = n andx — y 1. This is the basis of the Fermat factorization method discussed 
in Section 3.6. However, it is possible to factor n if we can find positive integers x and 
y that satisfy the weaker condition 

(12.20) x 2 = y 2 (mod n), 0<y<x<n, and x + y^n. 

To see this, note that if (12.20) holds, then n divides x 2 — y 2 = (x + y)(x — y), and n 
divides neither x — y nor x + y. It follows that (n, x — y) and (n, x + y) are divisors 
of n that do not equal 1 or n. We can find these divisors rapidly using the Euclidean 
algorithm. 

Example 12.17. Note that 29 2 - 17 2 = 841 - 289 = 552 = 0 (mod 69). Because 
29 2 - 17 2 = (29 - 17) (29 + 17) = 0 (mod 69), both (29 - 17, 69) = (12, 69) and 
(29 + 17, 69) = (46, 69) are divisors of 69 not equal to either 1 or 69; using the Eu- 
clidean algorithm, we find that these factors are (12, 69) = 3 and (46, 69) = 23. ◄ 

The continued fraction expansion of *Jn can be used to find solutions of the con- 
gruence x 2 = y 2 (mod n). The following theorem is the basis for this. 
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Theorem 12.24. Let n be a positive integer that is not a perfect square. Define a k = 
C Pk + yfn)/Q k , a k = [a*], P k+l = a k Q k - P k , and Q k+l = (n - P} +1 )/Q k , for k = 
0, 1, 2, , where a 0 = *Jn. Furthermore, let p k /q k denote the kth convergent of the 

simple continued fraction expansion of *Jn. Then 

pl~ n <il=(-i) k ~ l Qk+ 1- 

The proof of Theorem 12.24 depends on the following useful lemma. 

Lemma 12.6. Let r + s*/n = t + Uy/n, where r, s, t, and u are rational numbers and 
n is a positive integer that is not a perfect square. Then r = t and s = u. 

Proof. Because r + Sy/n = t+ u«Jn, we see that if s then 



Because (r — t)/{u — s ) is rational and v fn is irrational, it follows that s = u and, 
consequently, that r = t. u 

We can now prove Theorem 12.24. 

Proof. Because y/n = a 0 = [a 0 \ a h a 2 , , a k , ajt + i], Theorem 12.9 tells us that 

<*k+\Pk + Pk - 1 
+ Qk - 1 

Because a k+x = (P k+ \ + yfn) /Q k +\, we have 

(Pk + i + » Pk + Qk+i p k-i 

(f^ +1 + V«) qk + Qk+I^k-I 

Therefore, we see that 

Mk + ( p k+i<lk + Qk+i<lk-i)>/n = (Pk+iPk + Qk+iPk-i) + PkVn- 

By Lemma 12.6, we see that nq k = P k+lPk + Q k+ i Pk -i and P k+l q k + Q k+ iq k -i = p k . 
When we multiply the first of these two equations by q k and the second by p k , subtract 
the first from the second, and then simplify, we obtain 

Pk ~ n( lk = (Pk4k - 1 “ Pk-tfk)Qk+l = i-rf-'Qk+b 
where we have used Theorem 12.10 to complete the proof. ■ 

We now outline the technique known as the continued fraction algorithm for fac- 
toring an integer n, which was proposed by D. H. Lehmer and R. E. Powers in 1931, 
and further developed by J. Brillhart and M. A. Morrison in 1975 (see [LePo31] and 
[MoBr75] for details). Suppose that the terms p k , q k , Q k , a k , and a k have their usual 
meanings in the computation of the continued fraction expansion of yfn. By Theorem 
12.24, it follows that for every nonnegative integer k, 

pl = (-l) k - l Q k+1 (modn), 
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where p k and Q k+ \ are as defined in the statement of the theorem. Now, suppose that k 
is odd and that <2* + i is a square, that is, Q k+l = s 2 , where s is a positive integer. Then 
p 2 = s 2 (mod n), and we may be able to use this congruence of two squares modulo 
n to find factors of n. Summarizing, to factor n we carry out the algorithm described 
in Theorem 12.10 to find the continued fraction expansion of yfn. We look for squares 
among the terms with even indices in the sequence { Q k }. Each such occurrence may lead 
to a nonproper factor of n (or may just lead to the factorization n = 1 • n). We illustrate 
this technique with several examples. 

Example 12.18. We can factor 1037 using the continued fraction algorithm. Take a = 
V1037 = (0 + Vl037)/1 with P 0 = 0 and Q 0 = 1, and generate the terms P k , Q k , a k , 
and a k . We look for squares among the terms with even indices in the sequence {<2*}. 
We find that Q 1 = 13 and Q 2 = 49. Because 49 = 7 2 is a square, and the index of 
Q 2 is even, we examine the congruence p 2 = (—l) 2 Q 2 (mod 1037). Computing the 
terms of the sequence {p k }, we find that p\ = 129. This gives the congruence 129 2 = 49 
(mod 1037). Hence, 129 2 - 7 2 = (129 - 7) (129 + 7) = 0 (mod 1037). This produces the 
factors (129 - 7, 1037) = (122, 1037) = 61 and (129 + 7, 1037) = (136, 1037) = 17 of 
1037. ◄ 

Example 12.19. We can use the continued fraction algorithm to find factors of 
1,000,009 (we follow computations of [Ri85]). We have Q 1 = 9, Q 2 = 445, Q 3 = 873, 
and Q 4 = 81. Because 81 = 9 2 is a square, we examine the congruence p 2 = (— 1) 4 <2 4 
(mod 1,000,009). However, p 3 = 2,000,009 = -9 (mod 1,000,009), so that p 3 + 9 is 
divisible by 1,000,009. It follows that we do not get any proper factors of 1,000,009 from 
this. 


We continue until we reach another square in the sequence {Q k } with k even. This 
happens when k = 18 with <2 18 = 16. Calculating p 17 gives p 17 = 494,881. From the 
congruence p 2 7 = ( — 1) 18 <2 18 ( m °d 1,000,009), we have 494,88 1 2 = 
4 2 (mod 1,000,009). It follows that (494881 - 4, 1000009) = (494877, 1000009) = 293 
and (49488 1 + 4, 1000009) = (494885, 1000009) = 3413 are factors of 1,000,009. ◄ 

More powerful techniques based on continued fraction expansions are known. These 
are described in [Di84], [Gu75], and [WaSm87]. We describe one such generalization in 
the exercises. 


12.5 Exercises 

1. Find factors of 1 19 using the congruence 19 2 = 2 2 (mod 1 19). 

2. Factor 1537 using the continued fraction algorithm. 

3. Factor the integer 13,290,059 using the continued fraction algorithm. (Hint: Use a computer 
program to generate the integers Q k for the continued fraction for Vl 3,290,059. You will 
need more than 50 terms.) 

4. Let n be a positive integer and let pi, p 2 , . . . , and p m be primes. Suppose that there exist 
integers x h x 2 , . . . , x r such that 
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x\ = (-1 ) em p\ n • • • p* ml ( mod n), 
x\ = (-1 ) eQ2 p\ n • • • p*™ 2 (mod n), 

x 2 r = (-l) e ° r p\ ]r ■ ■ ■ p e ™ (mod n), 

where 

e 01 + e 02 H 1" e 0r = 2Co 

e ll + e 12 + ‘ + e lr = 

e ml + e m2 H 1 - e /nr = 2f V 

Show that x 2 = y 2 (mod n ), where x = x t x 2 • • • x r and y = (— 1 ) e °p e l 1 • • • p e r r . Explain how 
to factor n using this information. Here, the primes p h . . . , p r , together with —1, are called 
the factor base. 

5. Show that 143 can be factored by setting x x = 17 and x 2 = 19, taking the factor base to be 
{3,5}. 

k- 

6. Let n be a positive integer and let p h p 2 , • . . , p r be primes. Suppose that Q k . = YYj=i Pj J 
fori = 1, ... , t, where the integers Qj have their usual meaning with respect to the continued 
fraction of *Jn. Explain how n can be factored if £];=i k i s even an ^ 2Z;=i ^ij even f° r 
7 = 1,2, ...,r. 

7. Show that 12,007,001 can be factored using the continued fraction expansions of 
-v/ 12,007,001 with factor base —1, 2, 31, 71, 97. (Hint: Use the factorizations Q\ = 2 3 • 97, 
012 = 2 4 • 71, <3 2 8 = 2 11 , 034 = 31 • 97, and 0 41 = 31 • 71, and show thatpo/hiT^T^s/^o = 
9,815,310.) 

8. Factor 197,209 using the continued fraction expansion of V197,209 and factor base 2, 3, 5. 

Computations and Explorations 

1. Use the continued fraction algorithm to factor F n = 2 2? + 1. 

* 2. Use the continued fraction algorithm to find the prime factorization of N n , where Nj is the 

7'th term of the sequence defined by N] = 2, N j+i = p\p 2 ... Pj + l, where pj is the largest 
prime factor of Nj. (For example, N 2 = 3, 7V 3 = 7, N 4 = 43, N 5 = 1807, and so on.) 


Programming Projects 

* 1. Factor positive integers using the continued fraction algorithm. 

* * 2. Factor positive integers using factor bases and continued fraction expansions (see Exercise 

6 ). 



,‘i q Some Nonlinear Diophantine 
I O Equations 


A n equation with the restriction that only integer (or sometimes rational) solutions 
are sought is called a diophantine equation. We have already studied a simple type 
of diophantine equation, namely, linear diophantine equations (Section 3.6). We learned 
how all solutions in integers of a linear diophantine equation can be found. But what 
about nonlinear diophantine equations? 

It is a deep theorem (beyond the scope of this text) that there is no general method 
for solving all nonlinear diophantine equations. However, many results have been es- 
tablished about particular nonlinear diophantine equations, as well as certain families 
of nonlinear diophantine equations. This chapter addresses several types of nonlinear 
diophantine equations. First, we will consider the diophantine equation x 2 + y 2 = z 2 , 
satisfied by the lengths of the sides of a right triangle. A triple of integers (x, y, z) that 
solves this equation is called a Pythagorean triple. After finding an explicit formula for 
Pythagorean triples, we will show this formula can be found by determining all the points 
(jc , y) on the unit circle with rational coefficients using geometric reasoning. 

After studying the diophantine equation x 2 + y 2 = z 2 , we will consider the famous 
diophantine equation x n + z n = z n , where n is an integer greater than 2. That is, we will 
be interested in whether the sum of the nth powers of two integers can also be the nth 
power of an integer, where none of the three integers equals 0. Fermat stated that there 
are no solutions of this diophantine equation when n > 2 (a statement known as Fermat’s 
last theorem), but for more than 350 years no one could find a proof. The first proof of 
this theorem was discovered by Andrew Wiles in 1995, which ended one of the greatest 
challenges of mathematics. The proof of Fermat’s last theorem is far beyond the scope 
of this book, but we will be able to provide a proof for the case when n = 4. 

Next, we will consider the problem of representing integers as the sums of squares. 
We will determine which integers can be written as the sum of two squares. Furthermore, 
we will prove that every positive integer is the sum of four squares. 

We will also study the diophantine equation x 2 — dy 2 — 1, known as Pell’s equation. 
We will show that the solutions of this equation can be found using the simple continued 
fraction of \fd, providing another example of the usefulness of continued fractions. 

Finally, we will study the famous congruent number problem, which asks which 
integers are the area of a right triangle with sides of integer length. Progress on this 
ancient problem has been made in recent years through the use of elliptic curves, a type of 
cubic diophantine equation. We will show how finding rational points on certain elliptic 
curves can be used to study the congruent number problem. 


521 
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13.1 Pythagorean Triples 

The Pythagorean theorem tells us that the sum of the squares of the lengths of the legs 
of a right triangle equals the square of the length of the hypotenuse. Conversely, any 
triangle for which the sum of the squares of the lengths of the two shortest sides equals 
the square of the third side is a right triangle. Consequently, to find all right triangles with 
integral side lengths, we need to find all triples of positive integers ( x , y, z) satisfying 
the diophantine equation 

(13.1) x 2 + y 2 = z 1 . 

Triples of positive integers satisfying this equation are called Pythagorean triples after 
the ancient Greek mathematician Pythagoras. Similarly, we call a right triangle with 
integer side lengths a Pythagorean triangle . 

Example 13.1. The triples (3, 4, 5), (6, 8, 10), and (5, 12, 13) are Pythagorean triples 
because 3 2 + 4 2 = 5 s , 6 2 + 8 2 = 10 2 , and & + 12 2 = 13 2 . ◄ 

Unlike most nonlinear diophantine aquations, it is possible to explicitly describe all 
the integral solutions of (13.1). Before developing the result describing all Pythagorean 
triples, we need a definition. 

Definition. A Pythagorean triple (x, y , z) is called primitive if x, y, and z are relatively 
prime, that is, if (x , y , z) = 1. We call a triangle a primitive right triangle if its sides have 
lengths from a primitive Pythagorean triple. 

Remark. Unfortunately, the notation (x , y , z) can denote the ordered triple of numbers 
x, y, and z or the greatest common divisor of x, y, and z. Fortunately, the context in 
which this notation is used will always make it clear which meaning is intended. 


PYTHAGORAS (c. 572-c. 500 b.c.e.) was bom on the Greek island of Samos. 
After extensive travels and studies, Pythagoras founded his famous school at 
the Greek port of Crotona, in what is now southern Italy. Besides being an 
academy devoted to the study of mathematics, philosophy, and science, the 
school was the site of a brotherhood sharing secret rites. The Pythagoreans, as 
the members of this brotherhood were called, published nothing and ascribed all 
their discoveries to Pythagoras himself. However, it is believed that Pythagoras 
himself discovered what is now called the Pythagorean theorem, namely, that 
a 2 + b 2 = c 2 , where a, b , and c are the lengths ofthe two legs and of the hypotenuse of a right triangle, 
respectively. The Pythagoreans believed that the key to understanding the world lay with oatural 
numbers and form. Their central tenet was “Everything is Number.” Because of their fascination with 
the natural numbers, the Pythagoreans made many discoveries in number theory. In particular, they 
studied perfect aumbers and amicable numbers for the mystical properties they felt these numbers 
possessed. 


L 
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Example 13.2. The Pythagorean triples (3, 4, 5) and (5, 12, 13) are primitive, whereas 
the Pythagorean triple (6, 8, 10) is not. ◄ 

Let (jc, y, z) be a Pythagorean triple with (x, y, z) = d. Then there are integers 
* 1 , 3h> Zi with x = dx h y = dy h z = dz\, and (x 1; y^ z{) = 1. Furthermore, because 

x 2 + y 2 = z 2 , 

we have 

(x/d) 2 +(y/d) 2 =(z/d) 2 , 

so that 


Hence, (jq, y b z{) is a primitive Pythagorean triple, and the original triple (jc, y, z) is 
simply an integral multiple of this primitive Pythagorean triple. 

Also note that any integral multiple of a primitive (or for that matter any) 
Pythagorean triple is again a Pythagorean triple. If (jq, y l5 z\) is a primitive Pythagorean 
triple, then we have 

+ = 

and hence, 

(dx ,) 2 + (dyO 2 = (dzi) 2 , 

so that (dx h dy h dz{) is a Pythagorean triple. 

Consequently, all Pythagorean triples can be found by forming integral multiples of 
primitive Pythagorean triples. To find all primitive Pythagorean triples, we need some 
lemmas. The first lemma tells us that any two integers of a primitive Pythagorean triple 
are relatively prime. 

Lemma 13.1. If (jc, y, z) is a primitive Pythagorean triple, then (jc, y) = (jc, z) = 
<y,z) = 1 . 

Proof. Suppose that (jc, y, z) is a primitive Pythagorean triple and (x, y) > 1. Then, 
there is a prime p such that p | (jc, y), so that p \ x and p | y. Because p \ x and p | y, 
we know that p | (jc 2 + y 2 ) = z 2 . Because p \ z 2 , we can conclude that p \ z. This is a 
contradiction, because (jc, y, z) = 1. Therefore, (jc, y) = 1. In a similar manner, we can 
easily show that (x, z) = (y, z) = 1. ■ 

Next, we establish a lemma about the parity of the integers of a primitive Pythago- 
rean triple. 

Lemma 13.2. If (x , y , z) is a primitive Pythagorean triple, then x is even and y is odd 
or x is odd and y is even. 

Proof. Let (x, y, z) be a primitive Pythagorean triple. By Lemma 13.1, we know that 
(jc, y) = 1, so that x and y cannot both be even. Also, x and y cannot both be odd. If x 
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and y were both odd, then we would have 

x 2 = y 2 = 1 (mod 4), 

so that 

z 2 = x 2 + y 2 = 2 (mod 4). 

This is impossible. Therefore, x is even and y is odd, or vice versa. ■ 

The final lemma that we need is a consequence of the fundamental theorem of 
arithmetic. It tells us that two relatively prime integers that multiply together to give 
a square must both be squares. 


Lemma 13.3. If r, s, and t are positive integers such that (r, s) = 1 and rs = t 2 , then 
there are integers m and n such that r =m 2 and s = n 2 . 

Proof. If r = 1 or s = 1, then the lemma is obviously true, so we may suppose that r > 1 
and s > 1. Let the prime-power factorizations of r, s, and t be 


Because (r, s ) = 1, the primes occurring in the factorizations of r and s are distinct. 
Because rs = t 2 , we have 

p°'p? ■ ■ ■ p>°;:tp%i • • ■ * = ??V 2 ■ • • «?*. 

From the fundamental theorem of arithmetic, the prime powers occurring on the two 
sides of the above equation are the same. Hence, each p { must be equal to qj for some 
j with matching exponents, so that a t = 2b j. Consequently, every exponent a t is even, 
and therefore aj 2 is an integer. We see that r =m 2 and s = n 2 , where m and n are the 
integers 

aj /2 02/2 a „/2 

m = p j p 2 2 ' ■ ■ ■ p u u/ 


n = p a u +fp a u u +2 2 ■ ■ ■ P a v v/2 - ■ 

We can now prove the desired result that describes all primitive Pythagorean triples. 


Theorem 13.1. The triple (jc, y, z) of positive integers is a primitive Pythagorean triple, 

with y even, if and only if there are relatively prime positive integers m and n,m > n, 

with m odd and n even or m even and n odd, such that 

2 2 

x = m — n , 

y = 2m n , 

z = m 2 + n 1 . 
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Proof Let (x, y, z) be a primitive Pythagorean triple. We will show that there are 
integers m and n as specified in the statement of the theorem. Lemma 13.2 tells us that 
x is odd and y is even, or vice versa. Because we have assumed that y is even, x and z 
are both odd. Hence, z + x and z — x are both even, so that there are positive integers r 
and s with r = (z + jc)/2 and s = (z — x)/2. 

Because x 2 + y 2 = z 2 , we have y 2 = z 2 — x 2 = (z + jc)(z — Jc). Hence, 




We note that (r, 5 ) = 1. To see this, let (r, s ) = d. Because d \ r and d \ s, d \ (r + s) = z 
and d \ (r — s) = x. This means that d | (jc, z) = 1, so that d = 1. 

Using Lemma 13.3, we see that there are positive integers m and n such that r = m 2 
and s = n 2 . Writing jc, y, and z in terms of m and n, we have 
2 2 

x = r — s = m — n , 
y = y/4 rs = yj 4m 2 n 2 = 2 mn, 

Z = r + s = m 2 + n 2 . 


We also see that (m,n) = 1, because any common divisor of m and n must also divide 
x = m 2 — n 2 ,y = 2 mn, and z = m 2 + n 2 , and we know that (*, y, z) = 1. We also note 
that m and n cannot both be odd, for if they were, then x, y, and z would all be even, 
contradicting the condition (*, y, z) = 1. Because (m,n) = 1 and m and n cannot both 
be odd, we see that m is even and n is odd, or vice versa. This shows that every primitive 
Pythagorean triple has the appropriate form. 


To complete the proof, we must show that every triple (jc, y, z) with 

2 2 

x = m — n , 

y = 2 mn, 

Z = m 2 + n 2 , 


where m and n are positive integers m >n, (m,n)= 1, and m^n (mod 2), is a primitive 
Pythagorean triple. First, note that m 2 — n 2 , 2 mn, m 2 + n 2 forms a Pythagorean triple 
because 

x 2 + y 2 = (m 2 - n 2 ) 2 + (2 mn) 2 

= (m 4 - 2 m 2 n 2 + n 4 ) + 4 m 2 n 2 
= m 4 + 2 m 2 n 2 + n 4 
: (m 2 + n 2 ) 2 
= z 2 . 

To see that this triple forms a primitive Pythagorean triple, we must show that these 
values of x, y, and z are mutually relatively prime. Assume for the sake of contradiction 
that (x, y, z) = d > 1. Then there is a prime p \ (jc, y, z). We note that p ^ 2, because 
jc is odd (because x = m 2 — n 2 , where m 2 and n 2 have opposite parity). Also, note that 
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because p \ x and p \ z, p \ (z + x) = 2 m 2 and p \ (z — x) = 2 n 2 . Hence, p \ m and p \ n, 
contradicting the fact that (m, n) = 1. Therefore, (x, y, z) = 1, and (x, y, z) is a primitive 
Pythagorean triple, concluding the proof. ■ 

The following example illustrates the use of Theorem 13.1 to produce a Pythagorean 
triple. 

Example 13.3. Let m = 5 and n = 2, so that (m, n) = 1, m ^ n (mod 2), and m > n. 
Hence, Theorem 13.1 tells us that (x, y, z) with 

x = m 2 - n 2 = 5 2 - 2 2 = 21, 
y = 2m n = 2-5-2 = 20, 
z=m 2 + n 2 = 5 2 + 2 2 = 29 

is a primitive Pythagorean triple. ◄ 

We list the primitive Pythagorean triple generated using Theorem 13.1 with m <6 
in Table 13.1. 

Rational Points on the Unit Circle 

We now turn our attention to a problem in diophantine geometry, the subject of finding 
points on algebraic curves whose coordinates are all integers or are all rational numbers. 
Points with rational coefficients on a curve are called rational points on this curve. We 
will find all rational points on the unit circle x 2 + y 2 = 1 using geometric reasoning. 

An immediate benefit of finding all rational points on the unit circle is that we can 
find all Pythagorean triples from these rational points. To see the relationship between 
Pythagorean triples and rational points on the unit circle, first suppose that a, b, and c 
are integers with c 0 and a 2 + b 2 = c 2 (so that (a, b, c ) is a Pythagorean triple when 
these integers are positive). Dividing both sides of this equation by c 2 , we obtain 

(< i/c) 2 + (b/c) 2 =l. 


m 

n 

x = m 2 — n 2 

y = 2 mn 

z = m 2 + n 2 

2 

1 

3 

4 

5 

3 

2 

5 

12 

13 

4 

1 

15 

8 

17 

4 

3 

7 

24 

25 

5 

2 

21 

20 

29 

5 

4 

9 

40 

41 

6 

1 

35 

12 

37 

6 

5 

11 

60 

61 


Table 13.1 Some primitive Pythagorean triples. 
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Hence, the point {a/c, b/c) is a rational point on the unit circle x 2 + y 2 = 1, so that every 
Pythagorean triple has an associated rational point on the unit circle. 

Conversely, suppose that the point (x, y) is a rational point on the unit circle, so 
that x 2 + y 2 = 1 where x and y are rational numbers. Because both x and y are rational 
numbers, we can express each as a ratio of two integers where the denominator is not 
zero. By choosing the least common denominator for these rational numbers, we can 
write x = a/c and y = b/c where a, b, and c are integers with 0 and 

(a/c ) 2 + (b/cf=l. 

Multiplying both sides by c 2 tells us that a 2 + b 2 = c 2 . So, if a and b are both positive, 
then (a, b, c) is a Pythagorean triple. 

We now use some simple ideas from geometry to find the rational points on the unit 
circle. First, note that the points (0, 1), (0, —1), (1,0), and (—1, 0) are rational points 
on this circle. Of these four points, we choose the point (— 1, 0) to begin our work. Next, 
observe that if (jc , y ) is a point with rational coefficients in the plane, then the slope of the 
line between (jc, y) and (—1, 0) is t = y/{x + 1), which is also rational. Now suppose 
that t is rational number and consider the line y = t(x + 1) that goes through (—1, 0). 
We will show that this line intersects the unit circle in a second rational point (see Figure 
13.1). This will allow us to parameterize all rational points of the unit circle other than 
(— 1, 0) in terms of the rational number t. (In general, the parameterization of a curve is 
the specification of the points on this curve in terms of one or more variables.) 



Figure 13.1 Parameterizing rational points on the unit circle. 


To find the intersection of the line y = t (jc + 1) with the unit circle x 2 + y 2 = 1, we 
substitute t (jc + 1) for y in the equation for this circle and solve for jc. We find that 

jc 2 + t 2 { x + l) 2 = 1. 

We next subtract 1 from both sides and factor jc 2 — 1 to obtain 

(jc 2 - 1) + t 2 (x + l) 2 = (jc + 1)(jc - 1) + t 2 { x + l) 2 = 0. 

Factoring out the common factor jc + 1 tells us that 

(jc + 1)[(jc - 1) + t 2 { x + 1)] = 0. 
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We note that x = — 1 is a solution; this is no surprise because ( — 1, 0) is on the line. The 
other solution is found by solving 

(x - 1) + t 2 (x + 1) = 0 


for x. This gives x = (1 — t 2 )/(l + t 2 ). We find the corresponding value for y using the 
equation of the line y = t(x + 1). This tells us that 


/ 1 — r 2 

y = t(x + l) = tl — — ^ 


.iWi: 


i + * 2 \ 


it 

i + t 2 ' 


We conclude that the second point of intersection of the line y = t(x + 1) with the unit 
circle is the point ( This a rat i° na l point when t is rational, because both 
of its coordinates are rational functions of t (and rational functions of a rational number 
t are rational because they are the quotient of two polynomials in t, and products, sums, 
and quotients of rational numbers are rational). 

We have found all the rational points on the unit circle, namely, (—1, 0) and all 
points of the form ( , j^) where t is rational. 

When we take t = m/n, where m and n are positive integers, in the parameterization 
we have found for the rational points on the unit circle, we obtain a formula for all 
Pythagorean triples. That is, given positive integers m and n, we obtain the rational 
point ( ^ 2 ~" 2 , on the unit circle. From our earlier comments, we see that (m 2 — 

n 2 , 2 ran, m 2 + n 2 ) is a Pythagorean triple. 

Note that when we found the rational points on the unit circle, we found the rational 
points on an algebraic curve of the form f(x,y) = 0 where / (jc, y) is a polynomial with 
integer coefficients. This is an important type of diophantine problem. By expressing the 
rational points in terms of the rational number t, we gave a rational parameterization of 
this curve. See Exercises 21-24 for additional examples of rational parameterizations of 
algebraic curves. 


13.1 Exercises 

1. a) Find all primitive Pythagorean triples (jc, y, z) with z < 40. 
b) Find all Pythagorean triples (jc, y, z) with z < 40. 

2. Show that if (jc, y, z) is a primitive Pythagorean triple, then either jc or y is divisible by 3. 

3. Show that if (jc, y, z) is a primitive Pythagorean triple, then exactly one of jc, y, and z is 
divisible by 5. 

4 . Show that if (jc, y, z) is a primitive Pythagorean triple, then at least one of jc, y, and z is 
divisible by 4. 

5. Show that every positive integer greater than 2 is part of at least one Pythagorean triple. 

6. Let jc i = 3, yi = 4, z\ = 5, and let x n , y n , z n , for n = 2, 3, 4, ... , be defined recursively by 
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x n+ i = 3x n + 2 z n + 1, 
y n +l = lx n + + 2 , 

z„+i = 4jc n + 3z„ + 2. 

Show that (jc„, y„, z n ) is a Pythagorean triple. 

7. Show that if (jc, y, z) is a Pythagorean triple with y —x + l, then (x, y, z) is one of the 
Pythagorean triples given in Exercise 6. 

8. Find all solutions in positive integers of the diophantine equation jc 2 + 2y 2 = z 2 . 

9. Find all solutions in positive integers of the diophantine equation jc 2 + 3y 2 = z 2 . 

* 10. Find all solutions in positive integers of the diophantine equation w 2 + x 2 + y 2 = z 2 . 

11. Find all Pythagorean triples containing the integer 12. 

12. Find formulas for the integers of all Pythagorean triples (jc, y, z) with z = y + 1. 

13. Find formulas for the integers of all Pythagorean triples (jc, y, z) with z = y + 2. 

* 14. Show that the number of Pythagorean triples (jc , y , z) (with x 2 + y 2 = z 2 ) with a fixed integer 

jc is (t(jc 2 ) — l)/2 if jc is odd, and (t(jc 2 /4) — l)/2 if jc is even. 

* 15. Find all solutions in positive integers of the diophantine equation jc 2 + py 2 = z 2 , where p is 

a prime. 

16. Find all solutions in positive integers of the diophantine equation 1 /jc 2 + 1/y 2 = 1/z 2 . 

17. Show that (/„/„ +3 , 2 f n+ if n+2 , / 2 +1 + / 2 +2 ) is a Pythagorean triple, where f k denotes the 
kth Fibonacci number. 

18. Find the length of the sides of all right triangles, where the sides have integer lengths and the 
area equals the perimeter. 

19. Find all rational points on the unit circle jc 2 + y 2 = 1 by determining the intersection of a line 
with rational slope t that goes through the point (1,0) with the unit circle. 

20. Find all rational points on the unit circle jc 2 + y 2 = 1 by determining the intersection of a line 
with rational slope t that goes through (0, 1) with the unit circle. 

21. Find all rational points on the circle jc 2 + y 2 = 2 by determining the intersection of a line 
with rational slope t that goes through (1, 1) with this circle. 

22. Find all rational points on the ellipse jc 2 + 3y 2 = 4 by determining the intersection of a line 
with rational slope t that goes through (1,1) with this ellipse. 

23. Find all rational points on the ellipse jc 2 + jcy + y 2 = 1 by determining the intersection of a 
line with rational slope t that goes through the point (-1, 0) with this ellipse. 

24. Suppose that d is a positive integer. Find all rational points on the hyperbola jc 2 — dy 2 = 1 by 
determining the intersection of a line with rational slope t that goes through the point (— 1, 0) 
on the hyperbola. 

25. Show that there are no rational points on the circle jc 2 + y 2 = 3. 

26. Show that there are no rational points on the circle jc 2 + y 2 = 15. 

* 27. Find all rational points on the unit sphere jc 2 + y 2 + z 2 = 1. (Hint: Use the stereographic 

projection of the unit sphere to the plane z = 0. This projection maps the point (jc, y, z) 

on the sphere to the a point (u, v, 0) that is the intersection of the line through this point 

and (0, 0, 1), the north pole of the sphere, and the plane z = 0. Parameterize the rational 
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points on the unit sphere using two rational parameters u and v corresponding to this point 
of intersection.) 

Computations and Explorations 

1. Find as many Pythagorean triples (jc, y, z) as you can, where each of x, y, and z is 1 less 
than the square of an integer. Do you think that there are infinitely many such triples? 

2. Let A (n ) denote the number of primitive Pythaogrean triples with hypotenuse less than n . Find 
A(IO') for 1 < i < 6. By examining A(10')/10' for these values of i, formulate a conjecture 
for the value approached by A (n)/n as n grows without bound. 

Programming Projects 

1. Given a positive integer n, find all Pythagorean triples containing n. 

2. Given a positive integer n, find all Pythagorean triples with hypotenuse < n. 

3. Given a positive integer n, find the number of primitive Pythagorean triples with hypotenuse 
< n. 


13.2 Fermat’s Last Theorem 

In the previous section, we showed that the diophantine equation x 2 + y 2 = z 2 has 
infinitely many solutions in nonzero integers x, y, z. What happens when we replace 
the exponent 2 in this equation with an integer greater than 2? Next to the discussion of 
the equation x 2 + y 2 = z 2 in his copy of the works of Diophantus, Fermat wrote in the 
margin: 

However, it is impossible to write a cube as the sum of two cubes, a fourth power 
as the sum of two fourth powers and in general any power as the sum of two similar 
powers. For this I have discovered a truly wonderful proof, but the margin is too 
small to contain it. 

Fermat did have a proof of this theorem for the special case of n = 4. We will present 
a proof for this case, using his basic methods, later in this section. Although we will 
never know for certain whether Fermat had a proof of this result for all integers n > 2, 
mathematicians believe it is extremely unlikely that he did. By 1800, all other statements 
that he made in the margins of his copy of the works of Diophantus were resolved; some 
were proved and some were shown to be false. Nevertheless, the following theorem is 
called Fermat’s last theorem. 

Theorem 13.2. Fermat’s Last Theorem. The diophantine equation 

x n + y n = z n 

has no solutions in nonzero integers x, y, and z when n is an integer with n > 3. 
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Note that if we could show that the diophantine equation 
x p + y p = z p 


has no solution in nonzero integers x, y, and z whenever p is an odd prime, we would 
know that Fermat’s last theorem is true (see Exercise 2 at the end of this section). 


C 


The quest for a proof of Fermat’s last theorem challenged mathematicians for more 
than 350 years. Many great mathematicians have worked on this problem without ul- 
timate success. However, a long series of interesting partial results was established, 
and new areas of number theory were bom as mathematicians attempted to solve this 
problem. The first major development was Euler’s proof in 1770 of Fermat’s last theo- 
rem for the case n = 3. (That is, he showed that there are no solutions of the equa- 
tion x 3 + y 3 = z 3 in nonzero integers.) Euler’s proof contained an important error, but 
Legendre managed to fill in the gap soon afterward. 

In 1805, French mathematician Sophie Germain proved a general result about 
Fermat’s last theorem, as opposed to a proof for a particular value of the exponent n. 
She showed that if p and 2p + 1 are both primes, then xP + yP = z p has no solutions in 
integers x, y, and z, with xyz ^ 0 when p / xyz. As a special case, she showed that if 
x 5 + y 5 = z 5 , then one of the integers x,y, and z must be divisible by 5. In 1825, both 
Dirichlet and Legendre, in independent work, completed the proof of the case when 
n = 5, using the method of infinite descent used by Fermat to prove the n = 4 case (and 
which we will demonstrate later in this section). Fourteen years later, the case of n = 7 
was settled by Lamd, also using a proof by infinite descent. 


In the mid-nineteenth century, mathematicians took some new approaches in at- 
tempts to prove Fermat’s last theorem for all exponents n. The greatest success in this 
direction was made by the German mathematician Ernst Kummer. He realized that a 
potentially promising approach, based on the assumption that unique factorization into 
primes held for certain sets of algebraic integers, was doomed to failure. To overcome this 
difficulty, Kummer developed a theory that supported unique factorization into primes. 
His basic idea was the concept of “ideal numbers.” Using this concept, Kummer could 


SOPHIE GERMAIN (1776-1831) wasbomin Pari sand educated athome, us- 
ing her father’s extensive library as a resource. She decided as a young teenager 
to study mathematics when she discovered that Archimedes was murdered by 
the Romans. She started by reading the works of Euler and Newton. Although 
Germain did not attend classes, she learned from university course notes that she 
managed to obtain. After reading the notes from Lagrange’s lectures, she sent 
him a letter under the pseudonym M. Leblanc. Lagrange, impressed with the 
insights displayed in this letter, decided to meet M. Leblanc; he was surprised 
to find that its author was a young woman. Germain corresponded under the pseudonym M. LeBlanc 
with many mathematicians, including Legendre, who included many of her discoveries in his book 
Theorie des N ombres. She also made important contributions to the mathematical theories of elasticity 
and acoustics. Gauss was impressed by her work and recommended that she receive a doctorate from 
the University of Gdttingen. Unfortunately, she died just before she was to receive this degree. 
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prove Fermat’s last theorem for a large class of primes called regular primes. Although 
there are primes, and perhaps infinitely many primes, that are irregular, R umm er’s work 
showed that Fermat’s last theorem was true for many values of n. In particular. Rum- 
mer’s work showed that Fermat’s last theorem was true for all prime exponents less than 
100 other than 37, 59, and 67, because these are the only primes less than 100 that are ir- 
regular. Rummer’s introduction of “ideal numbers” gave birth to the subject of algebraic 
number theory, which blossomed into a major field of study, and to the part of abstract 
algebra known as ring theory. The exponents Rummer’s work did not address — 37, 59, 
67, and other relatively irregular primes — fell to a variety of more powerful techniques 
in subsequent years. 

In 1983, the German mathematician Gerd Faltings managed to show that*" + y n = 
z n can have only a finite number of solutions in nonzero integers for a fixed positive 
integer n > 3. Of course, if this finite number could have been shown to be zero for all 
integers n > 3, Fermat’s last theorem would have been proved. The path to the ultimate 
proof of Fermat’s last theorem began in 1986 when the German mathematician Gerhard 
Frey made the first connection of Fermat’s last theorem to the subject of elliptic curves. 
His remarkable work surprised mathematicians by linking two seemingly unrelated 
areas. 

Computers were used to run several different numerical tests that could verify that 
Fermat’s last theorem was true for particular values of n. By 1977, Sam Wagstaff used 
such tests (and several years of computer time) to verify that Fermat’s last theorem held 
for all exponents n with n < 125,000. By 1993, such tests had been used to verify that 


ERNST EDUARD RUMMER (1810-1893) was bom in Sorau, Prussia (now 
Germany). His father, a physician, died in 1813. Rummer received private 
tutoring before entering the Gymnasium in Sorau in 1819. In 1828, he entered 
the University of Halle to study theology; bis training for philosophy included 
the study of mathematics. Inspired by his mathematics instructor, H. F. Scherk, 
he switched to mathematics as his major field of study. Rummer was awarded 
a doctorate from the University of Halle in 1831, and began teaching at the 
Gymnasium in Sorau, his old school, that same year. The following year he took 
a similar position teaching at the Gymnasium in Liegnitz (now the Polish city of Legnica), holding 
the post for ten years. His research on topics in function theory, including extensions of Gauss’s work 
on hypergeometric series, attracted the attention of leading German mathematicians. They worked to 
find him a university position. 

In 1 842, Rummer was appointed to a position at the University of Breslau (now Wroclaw, Poland) 
and began working on number theory. In 1843, in an attempt to prove Fermat’s last theorem, he 
introduced the concept of “ideal numbers.” Although this did not lead to a proof of Fermat’s last 
theorem. Rummer’s ideas led to the development of new areas of abstract algebra and the new subject 
of algebraic number theory. In 1855, he moved to the University of Berlin, where he remained until 
bis retirement in 1883. 

Rummer was a popular instructor. He was noted for the clarity of his lectures as well as his sense 
of humor and concern for his students. He was married twice. His first wife, the cousin of Dirichlet’s 
wife, died in 1848, eight years after she and Rummer were married. 
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Fermat’s last theorem was true for all exponents n with n < 4 • 10 6 . However, at that 
time, no proof of Fermat’s last theorem seemed to be in sight 

Then, in 1993, Andrew Wiles, a professor at Princeton University, shocked the 
mathematical world when he showed that he could prove Fermat’s last theorem. He did 


ANDREW WILES (Ik 1953) became interested in Fermat’s last theorem at 
the age of 10 when, during a visit to his local library, he found a book stating 
the problem. He was struck that though it looked simple, none of the great 
mathematicians could solve it, and he knew that he would never let this problem 
go. In 1971, Wiles entered Merton College, Oxford. He graduated with his B.A. 
in 1974, and entered Clare College, Cambridge, where he pursued his doctorate, 
working on the theory of elliptic curves under John Coates. He was a Research 
Fellow at Clare College and a Benjamin Pierce Assistant Professor at Harvard 
from 1977 until 1980. In 1981, he held a post at the Institute for Advanced Study in Princeton, and 
in 1982 he was appointed to a professorship at Princeton University. He was awarded a Guggenheim 
Fellowship in 1985 and spent a year studying at the Institut des Hautes Etudes Scientifique and the 
Ecole Noimale Superieuie in Paris. Ironically, he did not realize that during his years of work in the 
field of elliptic curves he was learning techniques that would someday help him solve the problem 
tiiat obsessed him. 



Wiles's Seven-Year Quest 

In 1986, Wiles learned of work by Frey and Ribet that showed tiiat Fermat’ s last theorem fol- 
lows from a conjecture in the theory of elliptic curves, known as the Shimura-lhniyama con- 
jecture. Realizing that this led to a possible strategy for proving the theorem, he abandoned 
his ongoing research and devoted himself entirely to working on Fermat’s last theorem. 

During the first few years of this work, he talked to colleagues about his progress. How- 
ever, he decided that tailing to others generated too much interest and was too distracting. 
During his seven years of concentrated, solitary work on Fermat’s last theorem, he decided 
tiiat he only had time for “his problem" and his family. His best way to relax during time 
away from his work was to spend time with his young children. 

In 1993, Wiles revealed to several colleagues that he was close to a proof of Fermat’s 
last theorem. After filling what he thought were the remaining gaps, he presented an outline 
of his proof at Cambridge. Although there had been false alarms in the past about promising 
proofs of Fermat’s last theorem, mathematicians generally believed Wiles had a valid proof. 
However, a subtle but serious error in reasoning was found when he wrote up his results 
for publication. Wiles worked diligently, with the help of a former student, for more than a 
year, almost giving up in frustration, before he found a way to fill the gap. 

Wiles’s success has brought him countless awards and accolades. It has also brought 
him peace of mind. He has said tiiat “having solved this problem there’s certainly a sense 
of loss, but at the same time there is this tremendous sense of freedom. I was so obsessed 
by this problem that for eight years I was thinking about it all the time— when I woke up in 
the morning to when I went to sleep at night. That particular odyssey is now over. My mind 
is at rest." 
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this in a series of lectures in Cambridge, England. He had given no hint that the subject 
of his lectures was a proof of this notorious theorem. The proof he outlined was the 
culmination of seven years of solitary work. It used a vast array of highly sophisticated 
methods related to the theory of elliptic curves. Knowledgeable mathematicians were 
impressed with Wiles’s arguments. Word began to spread that Fermat’s last theorem had 
finally been proved. However, when Wiles’s 200-page manuscript was studied carefully, 
a serious problem was found. Although it appeared for a time that it might not be possible 
to fill the gap in the proof, more than a year later, Wiles (with the help of R. Taylor) 
managed to fill in the remaining portions of the proof. In 1995, Wiles published his 
revised proof of Fermat’s last theorem, now only 125 pages long. This version passed 
careful review. Wiles’s 1995 proof marked the end of the more than 350-year search for 
a proof of Fermat’s last theorem. 

Wiles’s proof of Fermat’s last theorem is one of those rare mathematical discoveries 
covered by the popular media. An excellent NOVA episode about this discovery was 
produced by PBS (information on this show can be found at the PBS Web site). Another 
source of general information about the proof is Fermat’s Enigma: The Epic Quest to 
Solve the World’s Greatest Mathematical Problem by Simon Singh ([Si97)]. A thorough 
treatment of the proof, including the mathematics of elliptic curves used in it, can 
be found in [CoSiSt97]. The original proof by Wiles was published in the Annals of 
Mathematics in 1995 ([Wi95]). 


The Wolfskehl Prize 

There was added incentive besides fame to prove Fermat’s last theorem. In 1908, the German 
industrialist Paul Wolfskehl bequeathed a prize of 100,000 marks to the Gottingen Academy 
of Sciences, to be awarded to the first person to publish a proof of Fermat’s last theorem. 
Unfortunately, thousands of incorrect proofs were published in a vain attempt to win the 
prize, with more than 1000 published, usually as privately printed pamphlets, between 1908 
and 1912 alone. (Many people, often without serious mathematical training and sometimes 
without a clear notion of what a correct proof is, attempt to solve famous problems such 
as this one even if no prize is available.) Even though Wiles’s proof was acclaimed to be 
correct, it took two years for the Gottingen Academy of Sciences to award the Wolfskehl 
prize to Wiles; they wanted to be certain the proof was really correct. 

Contrary to rumors that the prize had been reduced by inflation to almost nothing, 
maybe even a pfennig (a German penny). Wiles received approximately $50,000. The prize 
of 100,000 marks, originally worth around $1,500,000, had been reduced to approximately 
$500,000 after World War I by German hyperinflation, and the introduction of the deutsche 
mark after World War II further reduced its value. Many people have speculated about 
why Wolfskehl left such a large prize for a proof of Fermat’s last theorem. People with a 
romantic slant enjoyed the rumor that, suicidal after being jilted by his true love, he had 
regained his will to live when he found out about Fermat’s last theorem. However, more 
realistic biographical research indicates that he donated the money to spite his wife, Marie, 
whom he was forced to marry by his family. He did not want his fortune going to her after 
he died, so instead it went to the first person who could prove Fermat’s last theorem. 
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Readers interested in learning more about the history of Fermat’s last theorem, and 
how investigations relating to this conjecture led to the genesis of the theory of algebraic 
numbers, are encouraged to consult [Ed96], [Ri79], and [Va96]. 

The Proof for n = 4 

The proof we will give for the case when n = 4 uses the method of infinite descent devised 
by Fermat. This method is an offshoot of the well-ordering property, and shows that 
a diophantine equation has no solutions by showing that for every solution there is a 
“smaller” solution, contradicting the well-ordering property. 

Using the method of infinite descent, we will show that the diophantine equation 
x 4 + y 4 = z 2 has no solutions in nonzero integers x, y, and z. This is stronger than 
showing Fermat’s last theorem is true for n = 4, because any x 4 + y 4 = z 4 = (z 2 ) 2 gives 
a solution of x 4 + y 4 = z 2 - 

Theorem 13.3. The diophantine equation 

* 4 + y 4 = z 2 

has no solutions in nonzero integers x, y, and z- 

Proof. Assume that this equation has a solution in nonzero integers x, y, and z . Because 
we may replace any number of the variables with their negatives without changing the 
validity of the equation, we may assume that x, y, and z are positive integers. 

We may also suppose that (x, y) = 1. To see this, let (x, y) = d. Then x = dx x and 
y = dy h with (x 1? yj) = 1, where Xj and yj are positive integers. Because x 4 + y 4 = z 2 , 
we have 

(dx x ) 4 + (dy{) 4 = z 2 . 


so that 

d\x{ + y*)=z 1 . 

Hence, d 4 \ z 2 and, by Exercise 43 of Section 3.5, we know that d 2 \z. Therefore, 
z = d 2 z\, where z\ is a positive integer. Thus, 

d 4 (x* + y*) = (d 2 Zl f = d% 

so that 

This gives a solution of x 4 + y 4 = z 2 in positive integers x = x h y = y h and z = Z\ with 
(x l5 yj) = 1. 

So suppose that x = x 0 , y = yo, and z = z 0 i s a solution of x 4 + y 4 = z 2 , where 
x 0 , y 0 , and zq are positive integers with (x 0 , yo) = 1. We will show that there is another 
solution in positive integers x = x 1; y = y 1? and z = z\ with (x l5 y t ) = 1, such that z\ < Zq- 
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Because Xg + yg = Zq, we have 

(*2) 2 + C>g) 2 = «g, 

so that Xq, yg, Zq is a Pythagorean triple. Furthermore, we have (xq, yfi) = 1, for if p 

is a prime such that p \ Xq and p \ y%, then p | x 0 and p | y 0 , contradicting the fact that 

(x 0 , yo) = 1- Hence, Xq, y^, Zq is a primitive Pythagorean triple, and, by Theorem 13.1, 

we know that there are positive integers m and n with (m,n) = l,m^n (mod 2), and 

2 _ 2 „2 
Xq = m — n , 

yl = 2mn, 

Z q = m 2 + n 2 , 

where we have interchanged Xq and y%, if necessary, to make y^ the even integer of this 
part. 

From the equation for Xq, we see that 

x 2 + n 2 = m 2 . 

Because (m, n) = 1, it follows that x 0 , n, m is a primitive Pythagorean triple, m is odd, 
and n is even. Again, using Theorem 13.1, we see that there are positive integers r and 
s with (r, s) = 1, r ^ s (mod 2), and 

2 2 
x 0 = r z - s z , 

n = 2rs, 

m = r 2 + s 2 . 

Because m is odd and (m, n) = 1, we know that (m, 2n) = 1. We note that because 
3 >q = (2 n)m. Lemma 13.3 tells us that there are positive integers z\ and w with m=z\ 
and 2 n = w 2 . Because w is even, w = 2v, where v is a positive integer, so that 

v 2 = n/2 = rs. 

Because (r, s ) = 1, Lemma 13.3 tells us that there are positive integers jq and yj such 
that r = x 2 and s = y 2 . Note that because (r, s ) = 1, it easily follows that (jq, yj) = 1. 
Hence, 

x} + y} = r 2 + S 2 = m=z 2 v 

where x h y 1; z\ are positive integers with (jq, y : ) = 1. Moreover, we have Z\ < Zq, 
because 

Z\ < z\ = m 2 < m 2 + n 2 = z 0 . 

To complete the proof, assume that x 4 + y 4 = z 2 has at least one integral solution. 
By the well-ordering property, we know that among the solutions in positive integers 
there is a solution with the smallest value zo of the variable z. However, we have shown 
that from this solution we can find another solution with a smaller value of the variable 
z, leading to a contradiction. This completes the proof by the method of infinite descent. 



13.2 Fermat’s Last Theorem 537 


Conjectures About Some Diophantine Equations 

The resolution of a longstanding conjecture in mathematics often leads to new conjec- 
tures, and this certainly is the case for Fermat’s last theorem. For example, Andrew Beal, 
a banker and amateur mathematician, conjectured that a generalized version of Fermat’s 
last theorem is true, where the exponents on the three terms in the equation x n + y n = z n 
are allowed to be different. 


Beal’s Conjecture The equation x a + y b = z c has no solutions in positive integers 
x, y, z, a, b, c, where a>3,b>3, and c > 3 and (x, y) = (y, z ) = (x, z) = 1. 

Beal’s conjecture has not been solved. To generate interest in his conjecture, Andrew 
Beal has offered a prize of $100,000 for a proof or a counterexample. 

The proof of Fermat’s last theorem in the 1990s settled what was the best-hnown 
conjecture related to diophantine equations. Surprisingly, in 2002, another well-known, 
longstanding conjecture about diophantine equations was also settled. In 1844, the 
Belgian mathematician Eugene Catalan conjectured that the only consecutive positive 
integers that are both powers (squares, cubes, or higher powers) of integers are 8 = 2 3 
and 9 = 3 2 . In other words, he made the following conjecture. 


The Catalan Conjecture The diophantine equation 
x m — y n = 1 

has no solutions in positive integers x, y, m, and n, where m> 2 and n > 2, other than 
x = 3, y = 2, and m = 2, and n = 3. 

Certain cases of the Catalan conjecture have been settled since the fourteenth century 
when Levi ben Gerson proved that 8 and 9 were the only consecutive integers that 
are powers of 2 and 3. That is, he showed that if 3” — 2 m ^ ±1, where m and n are 
positive integers with m > 2 and n> 2, then m = 3 and n = 2. In the eighteenth century, 
Euler used the method of infinite descent to prove that the only consecutive cube and 
square are 8 and 9. That is, he proved that the only solution of the diophantine equation 
x 3 - y 2 = ±1 is x = 2 and y = 3. Additional progress was made during the nineteenth 
and early twentieth centuries, and in 1976, R. Tijdeman showed that the Catalan equation 
had at most a finite number of solutions. It was not until 2002 that the Catalan conjecture 
was settled, when Preda Mihailescu finally proved that this conjecture is correct. 

A new conjecture has been formulated that attempts to unify Fermat’s last theorem 
and Mihailescu’s theorem proving the Catalan conjecture. 


Fermat-Catalan Conjecture The equation x a + y h = z c has at most finitely many 
solutions if (x, y) = (y, z) = (x, z) = 1 and £ + | + £ < 1. 

The Fermat-Catalan conjecture remains open. At the present time, ten solutions of 
this diophantine equation are known that satisfy the hypotheses. They are: 
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1 + 2 3 
2 5 + 7 2 
7 3 + 13 2 
2 7 + 17 3 
3 5 + ll 4 
17 7 + 7627 1 3 
1414 3 + 2213459 2 
9262 3 + 15312283 2 
43 8 + 96222 3 
33 8 + 1549034 2 


3 2 , 

3 4 , 

2 9 , 

71 2 , 

122 2 , 

21063928 2 , 

65 7 , 

113 7 , 

30042907 2 , 

15613 3 . 


The abc Conjecture 

In 1985, Joseph Oesterle and David Masser formulated a conjecture that intrigues many 
mathematicians. If true, their conjecture could be used to resolve questions about many 
well-known diophantine equations. Before stating the conjecture, we need to introduce 
some notation. 

Definition. If n is a positive integer, then rad(n) is the product of the distinct prime 
factors of n. Note that rad(n) is also called the squarefree part of n because it can be 


LEVI BEN GERSON (1288-1344), bom at Bagnols in southern France, was a man 
of many talents. He was a Jewish philosopher and biblical scholar, a mathematician, 
an astronomer, and a physician. Most likely he made his living by practicing medicine, 
especially because he never held a rabbinical post. Little is known about the particulars of 
his life other than that he lived in Orange and later in Avignon. In 1321, Levi wrote The 
Book of Numbers dealing with arithmetical operations, including the extraction of roots. 
Later in life, he wrote On Sines, Chords and Arcs, a book dealing with trigonometry, which 
gives sine tables that were long noted for their accuracy. In 1 343 , the bishop of Meaux asked 
Levi to write a commentary on the first five books of Euclid, which he called The Harmony 
of Numbers. Levi also invented an instrument to measure the angular distance between 
celestial objects called Jacob’s staff. He observed both lunar and solar eclipses and proposed 
new astronomical models based on the data he collected. His philosophical writings are 
extensive. They are considered to be major contributions to medieval philosophy. 

Levi maintained contacts with prominent Christians, and was noted for the universality 
of his thinking. Pope Clement VI even translated some of Levi’s astronomical writings into 
Latin, and the astronomer Kepler made use of this translation. Levi was fortunate to live 
in Provence, where popes provided some protection to Jews, rather than another part of 
France. However, at times persecution made it difficult for Levi to work, even preventing 
him from obtaining important volumes of Jewish scholarship. 
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obtained by eliminating all the factors that produce squares from the prime factorization 
of n . 

Example 13.4. If n = 2 4 • 3 2 • 5 3 • 7 2 • 11, thenrad(n) = 2 • 3 • 5 • 7- 11 = 2310. ◄ 

We can now state the conjecture. 

abc Conjectu re For every real number e > 0 there exists a constant K (e ) such that if 
a, b, and c are integers such that a + b = c and (a, b ) = 1, then 

max (|a |, \b\, |c|) < tf(e)(rad(abc)) 1+e . 

Many deep results have been shown to be consequences of this conjecture. It would take 
us too far afield to develop the background and motivation for the abc conjecture. To 
learn about the origins of the conjecture and its consequences, see the expository articles 
[GrTu02] and [MaOO]. In the following example, we will show how the abc conjecture 
can be used to prove a result related to Fermat’s last theorem. 

Example 13.5. We can apply the abc conjecture to obtain a partial solution of Fermat’s 
last theorem. We follow an argument of Granville and Tucker [GiTu02]. Suppose that 

x n +y n = z n , 

where x, y, and z are pairwise relatively prime integers. Let a=x n ,b = y n , and c = z n . 
We can estimate rad (a fee) = rad(x n y"z n ) by noting that 

rad( x n y n z n ) = rad(xyz) < xyz < z 3 . 

The equality rad (x n y n z n ) = rad(xyz) holds because the primes dividing x n y n z n are the 
same as the primes dividing xyz. The first inequality follows because rad(w) < m for 
every positive integer m, and the last inequality holds because x and y are positive, so 
that x < z and y <z. 


EUGENE CATALAN (1814-1894) was bom in Bruges, Belgium. He gradu- 
ated from the Ecole Polytechnique in 1 835. He then was appointed to a teaching 
post at Chalons sur Marne. Catalan obtained a lectureship in descriptive geome- 
try at the Ecole Polytechnique in 1838, with the help of his schoolmate Joseph 
Liouville, who was impressed by Catalan’s mathematical talents. Unfortunately, 
Catalan’s career was aversely affected by the reaction of the authorities to bis 
political activity in favor of the French Republic. Catalan published extensively 
on topics in number theory and other areas of mathematics. He is perhaps best 
known for his definition of the numbers now known as Catalan numbers, which appear in so many 
contexts in enumeration problems. He used these numbers to solve the problem of determining the 
number of regions produced by the dissection of a polygon into triangles by nonintersecting diagonals. 
It turns out that Catalan was not the first to solve this problem, because it was solved in die eighteenth 
century by Segner, who presented a less elegant solution than Catalan. 
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Now applying the abc conjecture and noting that max(|a|, \b\, |c|) = z", for every 
€ > 0, there exists a constant K(e) >0 such that 

z" < /ST(6 )(z 3 ) 1+c . 

If we can take e = 1/6 and n > 4, it is easy to see that n — 3(1 + e) > n/8. This implies 
that 

z” < K(l/6)\ 

where K ( 1/6) is the value of the constant K (e) for e = 1/6. It follows that z<K( 1/6) . 
Consequently, in a solution of x n + y n = z n with n > 4, the numbers x, y, and z are all 
less than a fixed bound, which implies that there are only finitely many such solutions. 


13.2 Exercises 

1. Show that if x, y, z is a Pythagorean triple and n is an integer with n > 2, then 
x n + y n ^ z n . 

2. Show that Fermat’s last theorem is a consequence of Theorem 13.3, and of the assertion that 
x p + y p = z p has no solutions in nonzero integers when p is an odd prime. 

3. Using Fermat’s little theorem, show that if p is prime, and 

a) if x p ~ l + yP- 1 = z p ~\ then p \ xyz. 

b) if x p + y p = z p , then p | (x + y - z). 

>■ 4. Show that the diophantine equation x 4 — y 4 = z 2 has no solutions in nonzero integers using 

the method of infinite descent. 

5. Using Exercise 4, show that the area of a right triangle with integer sides is never a perfect 
square. 

* 6. Show that the diophantine equation x 4 + 4 y 4 = z 2 has no solutions in nonzero integers. 

* 7. Show that the diophantine equation x 4 + 8y 4 = z 2 has no solutions in nonzero integers. 

8. Show that the diophantine equation x 4 + 3y 4 = z 2 has infinitely many solutions. 

9. Find all solutions in the rational numbers of the diophantine equation y 2 = x 4 + 1. 

A diophantine equation of the form y 2 = x 3 + k, where k is an integer, is called a Bachet equation 
after Claude Bachet, a French mathematician of the early seventeenth century. 

10. Show that the Bachet equation y 2 = x 3 + 7 has no solutions. (Hint: Consider the congruence 
resulting by first adding 1 to both sides of the equation and reducing modulo 4.) 

* 11. Show that the Bachet equation y 2 = x 3 + 23 has no solutions in integers x and y. (Hint: Look 

at the congruence obtained by reducing this equation modulo 4.) 

* 12. Show that the Bachet equation y 2 = x 3 + 45 has no solutions in integers x and y . (Hint: Look 

at the congruence obtained by reducing this equation modulo 8.) 

13. Show that in a Pythagorean triple there is at most one square. 

14. Show that the diophantine equation x 2 + y 2 = z 3 has infinitely many integer solutions, 
by showing that for each positive integer k, the integers x = 3 k 2 — 1, y = k(k 2 — 3), and 
z = k 2 + 1 form a solution. 
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15. This exercise asks for a proof of a theorem proved by Sophie Germain in 1805. Suppose 
that 7t and p are odd primes, such that p \ xyz whenever x, y, and z are integers such that 
x n + y n + z n = 0 (mod p). Further suppose that there are no solutions of the congruence 
w n = n (mod p) . Show that if x, y , and z are integers such that x n + y n + z n = 0, then n\xyz. 

16. Show that the diophantine equation u> 3 + x 3 + y 3 = z 3 has infinitely many nontrivial solu- 
tions. ( Hint; Take w = 9 zk 4 , x=z( 1 - 9k 3 ), andy = 3zk(l - 3k 3 ), where z and k are nonzero 
integers.) 

17. Can you find four consecutive positive integers such that the sum of the cubes of the first 
three is the cube of the fourth integer? 

18. Prove that the diophantine equation w 4 + x 4 = y 4 + z 4 has infinitely many nontrivial solu- 
tions. (Hint: Follow Euler by taking w =m 7 + m 5 n 2 — 2m 3 n 4 + 3m 2 n 5 + mn 6 , x = m 6 n — 
3m 5 n 2 - 2 m 4 n 3 + m 2 n 5 + ti 7 , y=m 1 + m 5 n 2 - 2 m 3 n 4 - 3 mV + mn 6 , and z = m 6 n + 
3m s n 2 — 2/n 4 ;i 3 + m 2 n 5 + n 1 , where m and n are positive integers.) 

19. Show that the only solution of the diophantine equation 3 n — 2 m = — 1 in positive integers m 
and n is m = 2 and ti = 1. 

20. Show that the only solution of the diophantine equation 3" — 2 m = 1 in positive integers m 
and ti is 77i = 3 and ti = 2. 

21. The diophantine equation x 2 + y 2 + z 2 = 3 xyz is called Markov’s equation. 

a) Show that if x = a, y=b, and z = c is a solution of Markov’s equation, then x = a, y=b, 
and z = 3ab — c is also a solution of Markov’s equation. 


CLAUDE GASPAR BACHET DE MEZIRIAC (1581-1638) was bom in 
Bourg-en-Bresse, France, his father was an aristocrat and was the highest ju- 
dicial officer in the province. His early education look place at a house of the 
Jesuit order of the Duchy of Savoy. Later, he studied under the Jesuits in Lyon, 
Padua, and Milan, hi 1601, he entered the Jesuit Order in Milan where it is 
presumed that be taught. Unfortunately, he became ill in 1602 and left the Je- 
suit order. He resolved to live a life of leisure on his estate at Bourg-en-Bresse, 
which produced a considerable annual income for him. Bachet married in 1612 
and had seven children. Bachet spent almost all of his life living on his estate, except for 1619-1620, 
when he livad in Paris. While in Paris, it was suggested that he become tutor to Louis Xm. This lad 
to a hasty departure from the royal court. 

Bachet’s work in number theory concentrated on diophantine equations. In 1612, be presented 
a complete discussion on the solution of linear diophantine equations. In 1621, Bachet conjectured 
that every positive integer can be written as the sum of four squares; he checked his conjecture for all 
integers up to 325. Also, in 1621, Bachet discussed the diophantine equation that now bears his name. 
He is best known, however, for his Latin translation from the original Greek of Diophantus’ book 
Arithmetica. It was in his copy of this book that Fermat wrote his marginal note about what we now 
call Fermat’s last theorem. Bachet also wrote books on mathematical puzzles. His writings were the 
basis of most later books on mathematical recreations. Bachet discovered a method of constructing 
magic squares. He was elected to the French Academy in 1635. 

Bachet also composed literary works, including poems in French, Italian, and Latin, translated 
religious works and some of Ovid’s writings, and published an anthology of French poems entitled 
Dilices. 
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* b) Show that every solution in positive integers of Markov’s equation is generated starting 
with the solution x = 1, y = 1, and z = 1 and successively using part (a). 

* * 22. Apply the abc conjecture to the Catalan equation x m — y n = 1, where m and n are integers 

with m> 2 and n> 2, to obtain a partial solution of the Catalan conjecture. 

* * 23. Apply the abc conjecture to show that there are no solutions to Beal’s conjecture when the 

exponents are sufficiently large. 


Computations and Explorations 

1. Euler conjectured that no sum of fewer than n nth powers of nonzero integers is equal to the 
nth power of an integer. Show that this conjecture is false (as was shown in 1966 by Lander 
and Parkin) by finding four fifth powers of integers whose sum is also the fifth power of an 
integer. Can you find other counterexamples to Euler’s claim? 

2. Given a positive integer n, find as many pairs of equal sums of nth powers as you can. 


Programming Projects 

1. Given a positive integer n, search for solutions of the diophantine equation x n + y n = z n . 

2. Generate solutions of the diophantine equation x 2 + y 2 = z 3 (see Exercise 16). 

3. Given a positive integer k, search for solutions in integers of Bachet’s equation y 2 = x 2 + k. 

4. Generate the solutions of Markov’s equation, defined in Exercise 21 . 


13.3 Sums of Squares 

Mathematicians throughout history have been interested in problems regarding the rep- 
resentation of integers as sums of squares. Diophantus, Fermat, Euler, and Lagrange are 
among the mathematicians who made important contributions to the solution of such 
problems. In this section, we discuss two questions of this kind: Which integers are the 
sum of two squares? What is the least integer n such that every positive integer is the 
sum of n squares? 

We begin by considering the first question. Not every positive integer is the sum of 
two squares. In fact, n is not the sum of two squares if it is of the form 4 k + 3. To see this, 
note that because a 2 = 0 or 1 (mod 4) for every integer a, x 2 + y 2 = 0, 1, or 2 (mod 4). 

To conjecture which integers are the sum of two squares, we first examine some 
small positive integers. 


Example 13.6. Among the first 20 positive integers, note that 
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1 = 0 2 + l 2 , 

2= 1 2 + l 2 , 

3 is not the sum of two squares, 

4 = 2 2 + 0 2 , 

5= l 2 + 2 2 , 

6 is not the sum of two squares, 

7 is not the sum of two squares, 

8 = 2 2 + 2 2 , 

9 = 3 2 + 0 2 , 

10 = 3 2 + l 2 , 


1 1 is not the sum of two squares, 

12 is not the sum of two squares, 

13 = 3 2 + 2 2 , 

14 is not the sum of two squares, 

15 is not the sum of two squares, 

16 = 4 2 + 0 2 , 

17 = 4 2 + l 2 , 

18 = 3 2 + 3 2 , 

19 is not the sum of two squares, 

20 = 2 2 + 4 2 . 


It is not immediately obvious from the evidence in Example 13.6 which integers, 
in general, are the sum of two squares. (Can you see anything in common among those 
positive integers not representable as the sum of two squares?) 

We now begin a discussion that will show that the prime factorization of an integer 
determines whether this integer is the sum of two squares. There are two reasons for this. 
The first is that the product of two integers that are sums of two squares is again the sum 
of two squares; the second is that a prime is representable as the sum of two squares if 
and only if it is not of the form 4 k + 3. We will prove both of these results. Then we will 
state and prove the theorem that specifies which integers are the sum of two squares. 

The proof that the product of sums of two squares is again the sum of two squares 
relies on an important algebraic identity that we will use several times in this section. 


Theorem 13.4. If m and n are both sums of two squares, then mn is also the sum of 
two squares. 

Proof. Let m = a 2 + b 2 and n = c 2 + d 2 . Then 

(13.2) mn = (a 2 + b 2 )(c 2 + d 2 ) = (ac + bd ) 2 + (ad - be) 2 . 

The reader can easily verify this identity by expanding all the terms. ■ 

Example 13.7. Because 5 = 2 2 + l 2 and 13 = 3 2 + 2 2 , it follows from (13.2) that 
65 = 5 ■ 13 = (2 2 + 1 2 )(3 2 + 2 2 ) 

= (2 • 3 + 1 • 2) 2 + (2 • 2 - 1 • 3) 2 = 8 2 + l 2 . < 

One crucial result is that every prime of the form 4k + 1 is the sum of two squares. 
To prove this result, we will need the following lemma. 


Lemma 13.4. If p is a prime of the form 4m + 1, where m is an integer, then there 
exist integers x and y such that x 2 + y 2 = kp for some positive integer k with k < p. 

Proof. By Theorem 1 1.5, we know that — 1 is a quadratic residue of p. Hence, there is 
an integer a, a < p, such that a 2 = — 1 (mod p). It follows that a 2 + 1 = kp for some 
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positive integer k. Hence, x 2 + y 2 = kp, where x = a and y = 1. From the inequality 
kp = x 2 + y 2 < (p — l) 2 + 1 < p 2 , we see that k < p. m 

We can now prove the following theorem, which tells us that all primes not of the 
form 4k + 3 are the sum of two squares. 

Theorem 13.5. If p is a prime not of the form 4k + 3, then there are integers x and y 
such that x 2 + y 2 = p. 

Proof Note that 2 is the sum of two squares, because l 2 + l 2 = 2. Now, suppose 
that p is a prime of the form 4k + 1. Let m be the smallest positive integer such that 
x 2 + y 2 = mp has a solution in integers x and y. By Lemma 13.4, there is such an 
integer less than p\ by the well-ordering property, a least such integer exists. We will 
show that m = 1. 

Assume that m > 1. Let a and b be defined by 

a = x (mod m), b = y (mod m) 
and 

— m/2 <a< m/2, -m/2 < b < m/2. 

It follows that a 2 + b 2 = x 2 + y 2 = mp = 0 (mod m). Hence, there is an integer k such 
that 

a 2 + b 2 = km. 


We have 

( a 2 + b 2 ){x 2 + y 2 ) = (km) {mp) = km 2 p. 

By equation (13.2), we have 

(a 2 + b 2 )(x 2 + y 2 ) = {ax + by) 2 + {ay - bx) 2 . 

Furthermore, because a = x (mod m) and b = y (mod m), we have 
ax + by = x 2 + y 2 = 0 (mod m) 
ay — bx = xy — yx = 0 (mod m). 

Hence, {ax + by)/m and {ay — bx)/m are integers, so that 

) 2 + = km * p/m 2 = kp 

is the sum of two squares. If we show that 0 <k <m, this will contradict the choice of m 
as the minimum positive integer such that x 2 + y 2 = mp has a solution in integers. We 
know that a 2 + b 2 = km, — m/2 < a < m/2, and —m/2 < b < m/2. Hence, a 2 < m 2 / 4 
and b 2 < m 2 / 4. We have 

0 <km=a 2 + b 2 < 2(m 2 /4) = m 2 / 2. 

Consequently, 0 < k < m /2. It follows that k <m. All that remains is to show that k 0. 
If k = 0, we have a 2 + b 2 = 0. This implies that a = b = 0, so that x = y = 0 (mod m), 
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which shows that m \ x and m \ y. Because x 2 + y 2 = mp, this implies that m 2 \ mp, 
which implies that m\ p. Because m is less than p, this implies that m = 1, which is 
what we wanted to prove. ■ 

We can now put all the pieces together and prove the fundamental result that 
classifies the positive integers that are representable as the sum of two squares. 

Theorem 13.6. The positive integer n is the sum of two squares if and only if each 
prime factor of n of the form 4k + 3 occurs to an even power in the prime factorization 
of n. 

Proof. Suppose that in the prime factorization of n there are no primes of the form 
4£ + 3 that appear to an odd power. We write n = t 2 u, where u is the product of primes. 
No primes of the form 4k + 3 appear in u. By Theorem 13.5, each prime in u can be 
written as the sum of two squares. Applying Theorem 13.4 one time fewer than the 
number of different primes in u shows that u is also the sum of two squares, say, 

u = x 2 + y 2 . 

It then follows that n is also the sum of two squares, namely, 
n = (tx) 2 + (ty) 2 . 

Now, suppose that there is a prime p , p = 3 (mod 4), that occurs in the prime factorization 
of n to an odd power, say, the (2 j + l)th power. Furthermore, suppose that n is the sum 
of two squares, that is, 

n = x 2 + y 2 . 

Let (x, y) = d, a = x/d, b = y/d, and m = n/d 2 . It follows that (a, b) = 1 and 
a 2 + b 2 = m. 

Suppose that p k is the largest power of p that divides d. Then m is divisible by p 2j ~ 2fc+1 , 
and 2j — 2k + 1 is at least 1 because it is nonnegative; hence, p \ m. We know that p 
does not divide a, for if p \ a, then p \ b because b 2 = m — a 2 , but (a, b) = 1. 

Thus, there is an integer z such that az=b (mod p). It follows that 
a 2 + b 2 = a 2 + ( az ) 2 =a 2 (\ + z 2 ) (mod p). 

Because a 2 + b 2 = m and p \ m, we see that 

a 2 ( 1 + z 2 ) = 0 (mod p). 

Because (a, p) = 1, it follows that 1 + z 2 = 0 (mod p). This implies that z 2 = 
— 1 (mod p), which is impossible because —1 is not a quadratic residue of p, because 
p = 3 (mod 4). This contradiction shows that n could not have been the sum of two 
squares. ■ 

Because there are positive integers not representable as the sum of two squares, we 
can ask whether every positive integer is the sum of three squares. The answer is no, as it 
is impossible to write 7 as the sum of three squares (as the reader should show). Because 
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three squares do not suffice, we ask whether four squares do. The answer to this is yes, as 
we will show. Fermat wrote that he had a proof of this fact, although he never published 
it (and most historians of mathematics believe that he actually had such a proof). Euler 
was unable to find a proof, although he made substantial progress toward a solution. It 
was in 1770 that Lagrange presented the first published solution. 

The proof that every positive integer is the sum of four squares depends on the 
following theorem, which shows that the product of two integers both representable as 
the sum of four squares can also be so represented. Just as with the analogous result for 
two squares, there is an important algebraic identity used in the proof. 

Theorem 13.7. If m and n are positive integers that are each the sum of four squares, 
then mn is also the sum of four squares. 

Proof. Let m = a 2 + b 2 + c 2 + d 2 and n = e 2 + f 2 + g 2 + h 2 . The fact that mn is also 
the sum of four squares follows from the following algebraic identity: 

(13.3) mn = (a 2 + b 2 + c 2 + d 2 )(e 2 + f 2 + g 2 + h 2 ) 

= ( ae + bf + eg + dh ) 2 + ( af - be + ch - dg) 2 
+ ( ag — bh — ce + df) 2 + (ah + bg — cf — de) 2 . 

The reader can easily verify this identity by multiplying all the terms. ■ 

We illustrate the use of Theorem 13.7 with an example. 

Example 13.8. Because 7 = 2 2 + l 2 + l 2 + l 2 and 10 = 3 2 + l 2 + 0 2 + 0 2 , from 
(13.3) it follows that 

70 = 7 • 10 = (2 2 + l 2 + l 2 + 1 2 )(3 2 + l 2 + 0 2 + 0 2 ) 

= (2 • 3 + 1 • 1 + 1 • 0 + 1 • 0) 2 + (2 • 1 - 1 • 3 + 1 • 0 - 1 • 0) 2 
+ (2 • 0 - 1 • 0 - 1 • 3 + 1 • l) 2 + (2 ■ 0 + 1 • 0 - 1 • 1 - 1 • 3) 2 
= 7 2 + l 2 + 2 2 + 4 2 . ◄ 

We will now begin our work to show that every prime is the sum of four squares. We 
begin with a lemma. 

Lemma 13.5. If p is an odd prime, then there exists an integer k, k < p, such that 
kp = x 2 + y 2 + z 2 + w 2 
has a solution in integers x,y, z, and w. 

Proof. We will first show that there are integers x and y such that 
jc 2 + y 2 + 1 = 0 (mod p) 


with 0 < jc < p/2 and 0 < y < p/2. 
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Let 

(^)'l 

and 

T = { — 1 — o 2 1— l 2 -l-(^) 2 }. 

No two elements of S are congruent modulo p (because x 2 = y 2 (mod p) implies that 
jc = ±y (mod p)). Likewise, no two elements of T are congruent modulo p. It is easy 
to see that the set S U T contains p + 1 distinct integers. By the pigeonhole principle, 
there are two integers in this union that are congruent modulo p. It follows that there 
are integers x and y such that x 2 = — 1 — y 2 (mod p) with 0 < jc < (p — l)/2 and 
0 < y < (p - l)/2. We have 

x 2 + y 2 +1 = 0 (mod p); 

it follows that x 2 + y 2 + 1 + 0 2 = kp for some integer k. Because x 2 + y 2 + 1 < 2((p — 
l)/2) 2 + 1 < p 2 , it follows that k < p. m 

We can now prove that every prime is the sum of four squares. 

Theorem 13.8. Let p be a prime. Then the equation x 2 + y 2 + z 2 + w 2 = p has a 
solution, where x, y, z, and w are integers. 

Proof. The result is true when p = 2, because 2 = l 2 + l 2 + 0 2 + 0 2 . Now, assume that 
p is an odd prime. Let m be the smallest integer such that x 2 + y 2 + z 2 + w 2 = mp has 
a solution, where jc, y, z, and w are integers. (By Lemma 13.5, such integers exist, and 
by the well-ordering property, there is a minimal such integer.) The theorem will follow 
if we can show that m = 1. To do this, we assume that m > 1 and find a smaller such 
integer. 

If m is even, then either all of jc, y, z, and w are odd, all are even, or two are odd 
and two are even. In all these cases, we can rearrange these integers (if necessary) so that 
jc = y (mod 2) and z = w (mod 2). It then follows that (jc - y) /2, (jc + y) /2, (z - w) /2, 
and (jc + u>)/2 are integers, and 

This contradicts the minimality of m. 

Now suppose that m is odd and m > 1. Let a, b, c, and d be integers such that 
a = x (mod m), b = y (mod m), c = z (mod m), d = w (mod m), 


and 

—m/2<a<m/2, —m/2<b<m/2, —m/2<c<m/2, —m/2<d<m/2. 



548 Some Nonlinear Diophantine Equations 


We have 

a 2 + b 2 + c 2 + d 2 = x 2 + y 2 + z 2 + w 2 (mod m ); 

hence, 

a 2 + b 2 + c 2 + d 2 = km 

for some integer k, and 

0 < a 2 + b 2 + c 2 + d 2 < 4(m/2) 2 = m 2 . 

Consequently, 0 < k < m . If k = 0, we have a=b = c = d = 0, so that x=y=z=w= 
0 (mod m). From this, it follows that m 2 \mp, which is impossible because 1 < m < p. 
It follows that k > 0. 

We have 

(x 2 + y 2 + z 2 + w 2 )(a 2 +b 2 + c 2 + d 2 ) =mp-km= m 2 kp. 

But by the identity in the proof of Theorem 13.7, we have 

(a* + by + cz + dw) 2 + ( bx — ay + dz — cw ) 2 

+ (c* — dy — az + bw ) 2 + ( dx + cy — bz — aw) 2 = m 2 kp. 

Each of the four terms being squared is divisible by m, because 

ax + by + cz + dw = x 2 + y 2 + z 2 + w 2 = 0 (mod m), 
bx — ay + dz — cw = yx — xy + wz — zw = 0 (mod m), 
cx — dy — az + bw = zx — wy — xz + yw = 0 (mod m), 
dx + cy — bz — aw = wx + zy — yz — xw = 0 (mod m). 

Let X, Y, Z, and W be the integers obtained by dividing these quantities by m, that is, 
X = (ax + by + cz + dw)/m, 

Y = (bx — ay + dz — cw)/m, 

Z = (cx — dy — az + bw)/m, 

W = (dx + cy — bz — aw)/m. 

It then follows that 

X 2 + Y 2 + Z 2 + W 2 = m 2 kp/m 2 = kp. 

But this contradicts the choice of m\ hence, m must be 1. ■ 

We now can state and prove the fundamental theorem about representations of 
integers as sums of four squares. 

Theorem 13.9. Every positive integer is the sum of the squares of four integers. 

Proof. Suppose that n is a positive integer. Then, by the fundamental theorem of 
arithmetic, n is the product of primes. By Theorem 13.8, each of these prime factors 
can be written as the sum of four squares. Applying Theorem 13.7 a sufficient number 
of times, it follows that n is also the sum of four squares. ■ 
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We have shown that every positive integer can be written as the sum of four squares. 
As mentioned, this theorem was originally proved by Lagrange in 1770. Around the same 
time, the English mathematician Edward Waring generalized this problem. He slated, 
but did not prove, that every positive integer is the sum of nine cubes of nonnegative 
integers, the sum of 19 fourth powers of nonnegative integers, and so on. We can phrase 
this conjecture in the following way. 

Waring’s Problem. If k is a positive integer, is there an integer g(k) such that every 
positive integer can be written as the sum of g(k) Jfcth powers of nonnegative integers, 
and no smaller number of fcth powers will suffice? 

Lagrange’s theorem shows that we can take g(2) =4 (because there are integers 
that are not the sum of three squares). In the nineteenth century, mathematicians showed 
that such an integer g(k) exists for 3 < k < 8 and k = 10. But it was not until 1906 that 
David Hilbert showed that for every positive integer k , there is a constant g (k) such that 


EDWARD WARING (1736-1798) was bom in Old Heath in Shropshire, En- 
gland, where his father was a fanner. As a youth, Edward attended Shrewsbury 
School. He entered Magdalene College, Cambridge, in 1753, winning a schol- 
arship qualifying him for a reduced fee if he also worked as a servant. His 
mathematical talents quickly impressed his teachers and he was elected a fellow 
of the college in 1754, graduating in 1757. Noted by many as a prodigy, Waring 
was nominated for the Lucasian Chair of Mathematics at Cambridge in 1759; 
after some controversy, he was confirmed as the Lucasian professor in 1760 at 

the age of 23. 

Waring’s most important work was Meditationes Algebmicae, which covered topics in the 
theory of equations, number theory, and geometry. In this book, he makes one of the first important 
contributions to the part of abstract algebra now known as Galois theory. It was also in this book that 
he stated without proof that every integer is equal to the sum of not more than nine cubes, that every 
integer is the sum of not more than 19 fourth powers, and so on — the result we now call Waring’s 
theorem. To honor his contributions in the Meditationes Algebmicae , Waring was elected a Fellow 
of the Royal Society in 1763. However, few scholars read the book, because of its difficult subject 
matter and because Waring used a notation that made his work hard to understand. 

Surprisingly, Waring also studied medicine while holding his chair in mathematics. He graduated 
with an M.D. in 1767 and for a brief time practiced medicine at several hospitals, before giving up 
medicine in 1770. His lack of success in medicine has been attributed to his shy mann er and poor 
eyesight. Waring was able to pursue medicine while holding his chair in mathematics because he 
did not present lectures on mathematics. In feet. Waring was noted as a poor communicator with 
handwriting almost impossible to read. 

Waring was married to Mary Oswell in 1776. He and his wife lived in die town of Shrewsbury 
for a while, but his wife did not like the town. The couple later moved to Waring’s country estate. 

Waring was considered by his contemporaries to possess an odd combination of vanity and mod- 
esty, but with vanity predominating. He is recognized as one of the greatest English mathematicians 
of his time, although his poor communication skills limited his reputation while he was alive. More- 
over, according to one account, near the end of his life he fell into a deep religious melancholy that 
approached insanity and prevented him from accepting several awards. 
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every positive integer may be expressed as the sum of g(k) fcth powers of nonnegative 
integers. Hilbert’s proof is extremely complicated and is not constructive, so that it gives 
no formula for g(k). It is now known that g(3) = 9, g(4) = 19, g(5) = 37, and 

g(*) = [(3/2)*] + 2*-2 

for 6 < k < 471,600,000. Proofs of these formulas rely on nonelementary results from 
analytical number theory. There are still many unanswered questions about the values of 
*(*)• 

Although every positive integer can be written as the sum of nine cubes, it is known 
that the only positive integers not representable as the sum of eight cubes are 23 and 239. 
It is also known that every sufficiently large integer can be represented as the sum of at 
most seven cubes. Observations of this sort lead to the definition of the function G(k), 
which equals the least positive integer such that all sufficiently large positive integers 
can be represented as the sum of at most G (k) kth powers. The preceding remarks imply 
that G( 3) < 7. It is also not hard to see that G(3) > 4, because no positive integer n 
with n = ±4 (mod 9) can be expressed as the sum of three cubes (see Exercise 22). 
This implies that 4 < G(3) < 7. It may surprise you to learn that it is still not known 
whether G(3) = 4, 5, 6, or 7. The value of G(k) is extremely difficult to determine; 
the only known values of G{k) are G(2) = 4 and G(4) = 16. The best currently known 
inequalities for G{k ), with k = 5, 6, 7, and 8, are 6 < G(5) < 17, 9 < G(6) < 24, 8 < 
G(7) < 32, and 32 < G(8) < 42. 

The interested reader can learn about recent results regarding Waring’ s problem 
by consulting the numerous articles on this problem described in [Le74]. The paper of 
Wunderlich and Kubina [WuKu90] established the upper limit of the range for which it 
has been verified thatg(fc) is given by this formula. 


3 Exercises 

1. Given that 13 = 3 2 + 2 2 , 29 = 5 2 + 2 2 , and 50 = 7 2 + l 2 , write each of the following integers 
as the sum of two squares. 

a) 377 = 13 -29 b) 650 = 13 - 50 c) 1450 = 29 -50 d) 18,850 = 13 • 29 • 50 

2 . Determine whether each of the following integers can be written as the sum of two squares. 

a) 19 c) 29 e) 65 g)99 i) 1000 

b) 25 d) 45 f) 80 h) 999 

3. Represent each of the following integers as the sum of two squares. 

a) 34 b) 90 c) 101 d)490 e) 21,658 f) 324,608 

4 . Show that a positive integer is the difference of two squares if and only if it is not of the form 
4k + 2, where k is an integer. 

5 . Represent each of the following integers as the sum of three squares if possible, 

a) 3 b) 90 c) 1 1 d) 18 e)23 f)28 

6. Show that the positive integer n is not the sum of three squares of integers if n is of the form 
8 k + 7, where k is an integer. 
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7. Show that the positive integer n is not the sum of three squares of integers if n is of the form 
4 m (8fc + 7), where m and k are nonnegative integers. 

8. Prove or disprove that the sum of two integers each representable as the sum of three squares 
of integers is also thus representable. 

9. Given that 7 = 2 2 + l 2 + l 2 + l 2 , 15 = ??■ + 2 2 + l 2 + l 2 , and 34 = 4 2 + 4 2 + l 2 + l 2 write 
each of the following integers as the sum of four squares. 

a) 105 = 7- 15 b) 510 = 15-34 c)238 = 7-34 d) 3570 = 7 • 15 • 34 

10. Write each of the following positive integers as the sum of four squares. 

a) 6 b) 12 c) 21 d) 89 e)99 f)555 

11. Show that every integer n,n> 170, is the sum of the squares of five positive integers. 
(Hint: Write m =n - 169 as the sum of the squares of four integers, and use the fact that 
169 = 13 2 = 12 2 + 5 2 = 12 2 + 4 2 + 3 2 = 10 2 + 8 2 + 2 2 + l 2 .) 

12. Show that the only positive integers that are not expressible as the sum of five squares of 
positive integers are 1, 2, 3, 4, 6, 7, 9, 10, 12, 15, 18, 33. (Hint: Use Exercise 1 1, show that 
each of these integers cannot be expressed as stated, and then show all remaining positive 
integers less than 170 can be expressed as stated.) 

* 13. Show that there are arbitrarily large integers that are not the sums of the squares of four 
positive integers. 


We outline a second proof for Theorem 13.5 in Exercises 14-15. 

* 14. Show that if p is prime and a is an integer not divisible by p, then there exist integers x 
and y such that ax — y (mod p) with 0 < | x |< y/p and 0 <| y |< yfp. This result is called 
Thue ’s lemma after Norwegian mathematician Axel Thue. (Hint: Use the pigeonhole principle 
to show that there are two integers of the farm au — v, with 0 < u < [+fp] and 0 < v < [«/p], 
that are congruent modulo p. Construct x and y from the two values of u and the two values 
of v, respectively.) 

15. Use Exercise 14 to prove Theorem 13.5. (Hint: Show that there is an integer a with a 2 = — 1 
(mod p). Then apply Thue’s lemma with this value of a.) 

16. Show that 23 is the sum of nine cubes of nonnegative integers but not the sum of eight cubes 
of nonnegative integers. 


Exercises 17-21 give an elementary proof that g(4) < 50. 


k 


AXEL THUE (1863-1922) was bom in Tonsberg, Norway. He received his 
degree from the University of Oslo in 1889. He studied under the German 
mathematician lie in Liepzig and in Berlin from 1891 until 1894, and be was 
professor of applied mechanics at the University of Oslo from 1903 until 1922. 
Thue was the first person to study the problem of finding an infinite sequence 
over a finite alphabet that does not contain any occurrences of adjacent identical 
blocks. His work on the approximations of algebraic numbers was seminal, 
and was later improved by Siegel and by Roth. Using his results, he managed 
to prove that certain diophantine equations such as y 3 — 2x 3 = 1 have a finite number of solulions. 
Edmund Landau characterized Thue’s theorem on approximation as “the most important discovery 
in elementary number theory that I know.” 


$ 
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17 . Show that 

£ (fe + */ + -*;>“) = 6 (l>* 2 ) • 

l<i< j<4 U=1 / 

{Hint: Start with the identity {x t + Xj) 4 + (x t - Xj) 4 = 2x 4 + I2xfxj + 2xj.) 

18 . Show from Exercise 17 that every integer of the form 6 n 2 , where n is a positive integer, is 
the sum of 12 fourth powers. 

19 . Use Exercise 18 and the fact that every positive integer is the sum of four squares to show 
that every positive integer of the form 6m, where m is a positive integer, can be written as the 
sum of 48 fourth powers. 

20 . Show that the integers 0, 1, 2, 81, 16, 17 form a complete system of residues modulo 6, each 
of which is the sum of at most two fourth powers. Show from this that every integer n with 
n > 8 1 can be written as 6 m + k, where m is a positive integer and k comes from this complete 
system of residues. Conclude from this that every integer n with n < 8 1 is the sum of 50 fourth 
powers. 

21 . Show that every positive integer n with n < 81 is the sum of at most 50 fourth powers. (Hint: 
For 51 < n < 81, start by using three terms equal to 2 4 .) Conclude from this exercise and 
Exercise 20 that g( 4) < 50. 

22 . Show that no positive integer n, n = ±4 (mod 9), is the sum of three cubes. 

23 . Show that G(4) > 15 by showing that if n is a positive integer with n = 15 (mod 16), then n 
cannot be represented as the sum of fewer than 15 fourth powers of integers. 

24 . Use the fact that 31 is not the sum of 15 fourth powers and the method of infinite descent, 
to show that no positive integer of the form 31 • 16 m is the sum of 15 fourth powers. (Hint: 
Suppose that X|£i x 4 = 31 • 16 m . Show that each x t must be even, so that X/£i (*./2) 4 = 
31 • \6 m ~ l .) 

Computations and Explorations 

1. Find the number of ways that each integer less than 100 can be written as the sum of two 
squares. (Count the sum (±x 2 ) + (±y 2 ) four times, once for each choice of signs.) 

2 . Using numerical evidence, make a conjecture concerning which positive integers can be 
expressed as the sum of three squares. (Be sure to consult Exercise 7.) 

3 . Explore which positive integers can be written as the sum of n cubes of nonnegative integers 
for n =2,3, 4, 5. 

Programming Projects 

* 1. Determine whether a positive integer n can be represented as the sum of two squares and so 

represent it if possible. 

* 2. Given a positive integer n, represent n as the sum of four squares. 
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13.4 Pell’s Equation 

In this section, we study diophantine equations of the form 
(13.4) x 2 - dy 2 = n, 

where d and n are fixed integers. When d < 0 and n < 0, there are no solutions of (13.4). 
When d < 0 and n > 0, there can be at most a finite number of solutions, because the 
equation x 2 — dy 2 = n implies that | jc | < */n and \y \< ■sjn /\d\. Also, note that when 
d is a square, say, d = D 2 , then 

x 2 - dy 2 = x 2 - D 2 y 2 = (x + Dy)(x - Dy) = n. 

Hence, any solution of (13.4), whenrf is a square, corresponds to a simultaneous solution 
of the equations 


x + Dy = a , 
x - Dy=b, 

where a and b are integers such that n = ab. In this case, there are only a finite number 
of solutions, because there is at most one solution in integers of these two equations for 
each factorization n =ab. 

For the rest of this section, we are interested in the diophantine equation x 2 — dy 2 = 
n, where d and n are integers and d is a positive integer that is not a square. As the 
following theorem shows, the simple continued fraction of \fd, is very useful for the 
study of this equation. 


Theorem 13.10. Let d and n be integers such that d > 0, d is not a square, and 
| n | < y/d. If x 2 — dy 2 = n, then x/y is a convergent of the simple continued fraction of 

Vd. 

Proof. First consider the case where n > 0. Because x 2 — dy 2 = n, we see that 
(13.5) (x + yVd)(x - yVd) = n. 

From (13.5), we see that x — yyfd > 0, so that x > yVd. Consequently, 

- - Vd > 0, 


and, because 0 < n < yfd, we see that 
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_ x 2 - dy 2 
~ y(x + yy/d) 

<^r 

y(2yy/d) 

Vd 

< 2 y 2 fd 
1 

“2?' 

Because 0 < | — yjd < Theorem 12.19 tells us that x/y must be a convergent of 
the simple continued fraction of yfd. 

When n < 0, we divide both sides of x 2 - dy 2 = n by -d, to obtain 
y 2 - (1 /d)x 2 = -n/d. 

By a similar argument to that given when n > 0, we see that y/x is a convergent of 
the simple continued fraction expansion of \/yfd. Therefore, from Exercise 7 of Section 
12.3, we know that x/y = 1 /(y/x) must be a convergent of the simple continued fraction 

of y/d. = 1/(1/ Vd). ■ 

We have shown that solutions of the diophantine equation x 2 — dy 2 = n, where 
| II |< yfd, are given by the convergents of the simple continued fraction expansion of 
yjd. We will restate Theorem 12.24 here, replacing n by d, because it will help us to use 
these convergents to find solutions of this diophantine equation. 

Theorem 12.24. Let d be a positive integer that is not a square. Define a k = (P k + 
>/d)/Q k , a k = [a k ], P k+l = a k Q k - P k , and Q k+l = (d - P£ +l )/Q k , for k = 0, 1, 

2 where a 0 = y/d. Furthermore, let p k /q k denote the kth convergent of the simple 

continued fraction expansion of yfd. Then 

Pk~ d< ik = (- 1 ') k ~ 1 Qk+v 

The special case of the diophantine equation x 2 — dy 2 = n with n = 1 is called Pell’s 
equation, after John Pell. Although Pell played an important role in the mathematical 
community of his day, he played only a minor part in solving the equation named in his 
honor. The problem of finding the solutions of this equation has a long history. Special 
cases of Pell’s equations are discussed in ancient works by Archimedes and Diophantus. 
Moreover, the twelfth-century Indian mathematician Bhaskara described a method for 
finding the solutions of Pell’s equation. In more recent times, in a letter written in 1657, 
Fermat posed to the “mathematicians of Europe” the problem of showing that there are 
infinitely many integral solutions of the equation x 2 — dy 2 = 1, when d is a positive 
integer greater than 1 that is not a square. Soon afterward, the English mathematicians 
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Wallis and Brouncker developed a method to find these solutions, but did not provide 
a proof that their method works. Euler provided all the theory needed for a proof in a 
paper published in 1767, and Lagrange published such a proof in 1768. The methods 
of Wallis and Brouncker, Euler, and Lagrange all are related to the use of the continued 
fraction of +fd. We will show how this continued fraction is used to find the solutions of 
Pell’s equation. In particular, we will use Theorems 13.9 and 12.24 to find all solutions of 
Pell’s equation and the related equation x 2 — dy 2 = — 1. More information about Pell’s 
equation can be found in [Ba03], a book entirely devoted to this equation. 

Theorem 13.11. Let d be a positive integer that is not a square. Let Pk/qk denote the 
&th convergent of the simple continued fraction of yfd, k= 1, 2, 3 ... , and let n be the 
period length of this continued fraction. Then, when n is even, the positive solutions of 
the diophantine equation x 2 — dy 2 = 1 are x = Pj n -\, y = Qjn-b 7 = 1, 2, 3 ... , and 
the diophantine equation x 2 — dy 2 = — 1 has no solutions. When n is odd, the positive 


JOHN PELL (1611-1683), the son of a clergyman, was bom in Sussex, England, and was 
educated at Trinity College, Cambridge. He became a schoolmaster instead of following 
his father’s wishes that he enter the clergy. After developing a reputation for scholarship in 
both mathematics and languages, he took a position at the University of Amsterdam. He 
remained there until, at the request of the Prince of Orange, he joined the faculty of a new 
college at Breda. Among Pell’s writings in mathematics are a book, Idea of Mathematics, as 
well as many pamphlets and articles. He corresponded and discussed mathematics with the 
leading mathematicians of his day, including Leibniz and Newton, the inventors of calculus. 
Euler may have called x 2 — dy 2 = 1 “Pell’s equation” because he was familiar with a book 
in which Pell augmented the work of other mathematicians on the solutions of the equation 
x 2 — 12y 2 = n. 

Pell was involved with diplomacy; he served in Switzerland as an agent of Oliver 
Cromwell, and he joined the English diplomatic service in 1654. He finally decided to join 
the clergy in 1661, when he took his holy orders and became chaplain to the Bishop of 
London. Unfortunately, at the time of his death, Pell was living in abject poverty. 


BHASKARA (1114-1185) was bom in Biddur, in the Indian state of Mysore. Bhaskara 
was the head of the astronomical observatory at Ujjain, the center of mathematical studies 
in India for many centuries. He is the best known of all Indian mathematicians of his 
era. Bhaskara’s works on mathematics include Lilavati (The Beautiful) and Bijaganita 
(Seed Counting), which are both textbooks that cover parts of algebra, arithmetic, and 
geometry. Bhaskara studied systems of linear equations in more unknowns than equations, 
and knew many combinatorial formulas. He investigated the solutions of many different 
diophantine equations. In particular, he solved the equation x 2 — dy 2 — 1 in integers for d — 
8, 11, 32, 61, and 67, using what he called the “cycle method.” One illustration of his keen 
computational skill is his discovery ofthe solution of x 2 — 61y 2 = 1 with x — 1,766,319,049 
and y = 226, 153,980. Bhaskara also wrote several important books on astronomy, including 
the Siddhantasiromani. 
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solutions of x 2 — dy 2 = 1 are x = P 2 j n -b y = Qijn- 1 > j = 1, 2, 3, , and the solutions 
of x 2 - dy 2 = -laiex = P(2j-i)n-b J = <l(2j-i)n-b j =1,2,3, 

Proof. Theorem 13.9 tells us that if x 0 , y 0 is a positive solution of x 2 — dy 2 = ± 1, then 
jc 0 = Pk, yo = Gk > where Pk/Qk is a convergent of the simple continued fraction of \fd. 
On the other hand, from Theorem 12.24, we know that 

pl~ d <il = (- l ) k ~ l Qk+t* 

where Q k+ 1 is as defined as in the statement of Theorem 12.24. 

Because the period of the continued expansion of \[d is n, we know that Qj n = 
Qq = 1 for j = 1, 2, 3, ... , because \fd = P °q^ - Hence, 

p 2 Jn - 1 -dq%_ 1 = (-iy’’Q n j = (-iy n . 

This equation shows that when n is even, Pj n -\, Qj n -\ is a solution of x 2 — dy 2 = 1 for 
j = 1, 2, 3 ... , and when n is odd, p 2yn _ 1» Qijn-i is a solution of x 2 — dy 2 = 1 and 
P2(j—i)n—b ^2(y — i)n— i is a solution of x 2 — dy 2 = — 1 for j = 1, 2, 3, ... . 

To show that the diophantine equations x 2 — dy 2 = 1 and x 2 — dy 2 = — 1 have no 
solutions other than those already found, we will show that Q k+l = 1 implies that n \ k 
and that Q^-l for j = 1, 2, 3, 

We first note that if Qk+\ = 1, then 

“ifc+i = p k+i + *^d- 

Because a k+x = [a k+ i,a k+ 2 , . . .], the continued fraction expansion of &k+\ is purely 
periodic. Hence, Theorem 12.23 tells us that — 1 < a k+l = p k + 1 — \[d < 0. This implies 
that P k+ i = [Vd\ so that a k — a 0 , and n \ k. 

To see that Qj ^ — 1 for j = 1,2,3,..., note that Qj = - 1 implies that aj = 
— Pj — Vd. Because cij has a purely periodic simple continued fraction expansion, we 
know that 

- 1 < a'j = —Pj + 4d < 0 
and 

OLj = - Pj — Vd > 1 . 

From the first of these inequalities, we see that Pj > —Vd, and from the second, we see 
that Pj < — 1 — \fd. Because these two inequalities for Pj are contradictory, we see that 

Qj*- 1- 

Because we have found all solutions of x 2 — dy 2 = 1 and x 2 — dy 2 = — 1, where x 
and y are positive integers, we have completed the proof. ■ 

We illustrate the use of Theorem 13.10 with the following examples. 
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Example 13.9. Because the simple continued fraction of \/l3 is [3; 1, 1, 1, 1, 6], the 
positive solutions of the diophantine equation x 2 — 13 y 2 = 1 are Pioj-i, 4 i 0 j-b j = 
1, 2, 3, , where Pioy-iAZioy-i i s the (10 j — l)th convergent of the simple continued 
fraction expansion of y/l3 . The least positive solution is p 9 = 649, q 9 = 180. The positive 
solutions of the diophantine equation x 2 — 13y 2 = — 1 are P\oj-6, j = 1, 2, 3, . . . ; the 
least positive solution is p 4 = 18, q + 4 = 5. ◄ 

Example 13.10. Because the continued fraction of \/l4 is [3; 1, 2, 1, 6], the positive 
solutions of x 2 — lAy 2 = 1 are Paj \, QAjb j = 1, 2, 3, ... , where PAj-\/qj-\ is the 
7 - th convergent of the simple continued fraction expansion of y/lA. The least positive 
solution is p 3 = 15, <? 3 = 4. The diophantine equation x 2 — lAy 2 = — 1 has no solutions, 
because the period length of the simple continued fraction expansion of y/lA is even. 

◄ 

We conclude this section with the following theorem, which shows how to find all 
the positive solutions of Pell’s equation, x 2 — dy 2 = 1, from the least positive solution, 
without finding subsequent convergents of the continued fraction expansion of y/d. 

Theorem 13.12. Let x h y^ be the least positive solution of the diophantine equation 
x 2 — dy 2 = 1, where d is a positive integer that is not a square. Then all positive solutions 
Xk, y k are given by 

x k + y k Jd = (*! + y x yfd) k 

for k = 1, 2, 3, . . . . (Note that x k and y k are determined by the use of Lemma 13.4.) 

Proof. We must show that**., y k is a solution for k = 1, 2, 3, . . . , andthatevery solution 
is of this form. 

To show that x k , y k is a solution, first note that by taking conjugates, it follows that 
x k — y k \fd = (xj — yyjd) k because, from Lemma 12.4, the conjugate of a power is the 
power of the conjugate. Now, note that 

x\ - dyl = (x k + y k Vd)(x k - y k Vd ) 

= (*i + yi </d) k (x x - y l 'Sd) k 
= (x 2 l -dy 2 l ) k 
= 1 . 

Hence, x k , y k is a solution for k = 1, 2, 3, 

To show that every positive solution is equal to x k , y k for some positive integer k, 
assume that X, Y is a positive solution from x k , y k for k = 1, 2, 3, . . . . Then there is an 
integer n such that 

(*! + yi Vd) n < X + Y yfd < ( x x + yi Vd) n+1 . 

When we multiply this inequality by (jq + y l y/d)~ n , we obtain 
1 < (x! - yiVd) n (X + YVd) < X! + yiVd, 
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because x\ - dy\ = 1 implies that x x - y\«/d = (x l + y l Vd)~ l . 

Now let 

s + tVd = ( Xl - yi Vd) n (X + Y\fd) 

and note that 

s 2 - dt 2 = (s- tsfd){s + tVd) 

= fa + yi Vd) n (X - YVd)(x i - yi Vd) n (X + Y\fd) 

= (x 2 -dy 2 ) n (X 2 -dY 2 ) 

= 1. 

We see that s, t is a solution of x 2 — dy 2 = 1, and, furthermore, we know that 1 < 
s + t\fd < jq + yyfd. Moreover, because we know that s + ty/d > 1, we see that 
0 < (s + tyfd)~ X < 1- Hence, 

s = ^ + tVd) + (s — ty/d) j > 0 

and 

1 = 2y/l 1 ~ ( s ~ fv ^)] > °- 

This means that s, t is a positive solution, so that s > x 1? and t > by the choice of 
x 1; yj as the smallest positive solution. But this contradicts the inequality s + tyfd < 
xi + y\\fd. Therefore, X, Y must be x k , y k for some choice of k. m 

The following example illustrates the use of Theorem 13.11. 

Example 13.11. From Example 13.9, we know that the least positive solution of the 
diophantine equation x 2 — 13y 2 = 1 is xq = 649, y = 180. Hence, all positive solutions 
are given by x k , y k where 

x k + y k V 13 = (649 + 180^13)*. 

For instance, we have 

x 2 + y 2 V\3 = 842,401 + 233,640^11 

Hence, x 2 = 842,401, y 2 = 233,640 is the least positive solution of x 2 - 13y 2 = 1, other 
than xi = 649, yi = 180. ◄ 

13.4 Exercises 

1. Find all of the solutions, where jc and y are integers, of each of the following equations, 

a) x 2 + 3y 2 = 4 b) x 2 + 5y 2 = 7 c) 2x 2 + ly 2 = 30 

2. Find all of the solutions, where x and y are integers, of each of the following equations, 

a) x 2 - y 2 = 8 b) x 2 + 4y 2 = 40 c) 4x 2 + 9y 2 = 100 
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3. For which of the following values of n does the diophantine equation jc 2 — 31 y 2 = n have a 
solution? 

a) 1 b) -1 c) 2 d) —3 e)4 f) -45 

4. Find the least positive solution in integers of each of the following diophantine equations, 

a) x 2 - 29 j 2 = -1 b) jc 2 — 29y 2 = 1 

5. Find the three smallest positive solutions of the diophantine equation jc 2 — 31 y 2 = 1. 

6. For each of the following values of d, determine whether the diophantine equation jc 2 — dy 2 = 
-1 has solutions in integers. 

a) 2 c) 6 e) 17 g)41 

b) 3 d) 13 f) 31 h) 50 

7. The least positive solutionofthe diophantine equationjc 2 - 61y 2 = 1 is jcj = 1,766,319,049, 
y T = 226,153,980. Find the least positive solution other than x h 

8. Show that if p^/q^ is a convergent of the simple continued fraction expansion of \[d, then 
I pi - dq 2 |< 1 + 2 «Jd. 

9. Show that if d is a positive integer divisible by a prime of the form 4k + 3, then the diophantine 
equation jc 2 - dy 2 = -1 has no solutions. 

10. Let d and n be positive integers. 

a) Show that if r, s is a solution of the diophantine equation jc 2 — dy 2 = 1 and X, Y is a 
solution of the diophantine equation jc 2 - dy 2 = n, then Xr ± dYs, Xs ± Yr is also a 
solution of jc 2 - dy 2 = n. 

b) Show that the diophantine equation jc 2 - dy 2 = n either has no solutions or has infinitely 
many solutions. 

11. Find those right triangles having legs with lengths that are consecutive integers. (Hint: Use 
Theorem 13.1 to write the lengths of the legs as jc = s 2 — t 2 and y = 2 st, where s and t are 
positive integers such that (s, t) = 1, s > t, ands and t have opposite parity. Thenjc — y = ±1 
implies that (s — t) 2 — 2 1 2 = ±1.) 

12. Show that the diophantine equation jc 4 - 2y 4 = 1 has no nontrivial solutions. 

13. Show that the diophantine equation jc 4 — 2 y 2 = — 1 has no nontrivial solutions. 

14. Show that if t n , the nth triangular number, equals the mth square, so that n(n + l)/2 = m 2 , 
then jc = 2n + 1 and y = m are solutions of the diophantine equation jc 2 — 8y 2 = 1. Find the 
first five solutions of this diophantine equation in terms of increasing values of the positive 
integer jc and the corresponding pairs of triangular and square numbers. 


Computations and Explorations 

1. Find the least positive solution of the diophantine equation jc 2 - 109y 2 = 1. (This problem 
was posed by Fermat to English mathematicians in the mid- 1600s.) 

2. Find the least positive solution of the diophantine equation jc 2 - 991y 2 = 1. 

3. Find the least positive solution of the diophantine equation jc 2 - l,000,099y 2 = 1. 
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Programming Projects 

1. Find those integers n with | n \ < yfd. such that the diophantine equation x 2 - dy 2 = n has no 
solutions. 

2. Find the least positive solutions of the diophantine equations x 2 - dy 2 = 1 and x 2 - dy 2 = 
- 1 . 

3. Find the solutions of Pell’s equation from the least positive solution (see Theorem 13.12). 


13.5 Congruent Numbers 

In Section 13. 1 , we showed that all Pythagorean triples can be found by determining 
the rational points on the unit circle. Finding all Pythagorean triples is just one of many 
problems in number theory that can be studied by finding the rational points on an 
algebraic curve. We study another such problem in this section. 

The positive integer N is called a congruent number when there is a rational right 
triangle with area N. By a rational right triangle, we mean a triangle that has rational side 
lengths. Similarly, by an integer right triangle, we mean a triangle whose side lengths 
are integers. Recall that if x, y are the lengths of the legs of a right triangle and z is the 
hypothenuse, then x 2 + y 2 = z 2 and the area of the triangle is xy/2. Consequently, the 
positive rational number N is a congruent number if and only there are rational numbers 
x, y and z such that x 2 + y 2 = z 2 and xy/2 = N. 

Example 13.12. We see that 6 is a congruent number because it is the area of the integer 
right triangle with sides of length 3, 4, and 5. ◄ 

Determining which positive integers are congruent numbers is known as the con- 
gruent number problem. The earliest known discussion of this problem is found in an 
anonymous Arabian manuscript written in 972. This manuscript tells us that early Arab 
mathematicians knew of 30 different congruent numbers. The smallest of these are 5, 
6, 14, 15, 21, 30, 34, 65, and 70; the largest is 10,374. In the 13th century, Fibonacci 
demonstrated that 7 is a congruent number. Furthemore, he stated, but did not prove, 
that no square is a congruent number. (By a square we mean the square of a positive 
integer.) In the 17th century, Fermat proved that each of the integers 1, 2, and 3 is not a 
congruent number. His proof that 1 is not a congruent number established that no square 
is a congruent number, as we will soon see. 

The term “congruent number” was introduced in the eighteenth century by Euler. 
(The reason behind the terminology “congruent number” will be discussed later. The 
reader should note that the use of the word “congruent” in this terminology is not directly 
related to congruent integers or congruent triangles.) The history of the congruent number 
problem is quite extensive; more about this history can be found in [Gu94] and volume 
2 of [Di05]. Later in this section we will explain how the congruent number problem is 
related to finding rational points on certain curves. To learn more recent progress on the 
congruent number problem, the reader should consult [Ch98], [Ch06],[Co08], [Ko96], 
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and [SaSa07]. Some of the exposition in this section has been based on material in 
[C 0 O 8 ] and [SaSa07]. 

Pythagorean triples and congruent numbers 

To begin our study of congruent numbers, we first observe that we have to consider only 
square-free integers when we look for congruent numbers. The reason for this is that 
an integer is a congruent number if and only its square-free part is a congruent number. 
(Recall, by Exercise 8 in Section 3.5, that if N is a positive integer, then it can be written 
as N = u 2 v where u and v are positive integers; here, v is the square-free part of N). To 
see this, note that if vV is a congruent number, then there is a rational right triangle with 
area N. Scaling this rational right triangle down by a factor of u, so that the side lengths 
of the new triangle are the side lengths of the original triangle divided by u, produces a 
rational right triangle with area v. Similarly, scaling a rational right triangle with area v 
up by a factor of u gives us a rational right triangle with area N. 

Recall from Section 1 3. 1 that the integers (a, b , c) is a primitive Pythagorean triple, 
with b even, if and only there are relatively prime positive integers m and n of opposite 
parity where m > n such that a = m 2 — n 2 ,b = 2 mn, and c = m 2 + n 2 . The area of this 
triangle is ab/2 = ( m 2 — n 2 )mn, which is a positive integer. The connection between 
Pythagorean triples and congruent numbers is made clear by the following theorem, 
which shows that every congruent number arises from a Pythagorean triple. 

Theorem 13.13. If N is a square-free positive integer, then TV is a congruent number 
if and only if there is a positive integer s such that s 2 N is the area of a primitive right 
triangle. Consequently, a square-free integer vV is a congruent number if and only if there 
are relatively prime integers m and n of opposite parity and a positive integer s so that 
s 2 N = mn{m + n)(m — n). ■ 

Proof. Suppose that N is a square-free positive integer that is a congruent number. Then 
N is the area of a rational right triangle with sides of length A, B, and C. Let s be the least 
common multiple of the denominators of the rational numbers A, B, and C. It follows 
that A, sB, sC) is Pythagorian triple and the right triangle with sides of these lengths 
has area s 2 N. 

We will show that (sA,sB,sC) must be a primitive Pythagorian triple. To see this, 
assume that M\sA, M\sB, and M\sC where M is a positive integer. We will show that 
M = 1. Observe that ( sA/M , sB/M, sC/M ) is a Pythagorean triple and that the area 
of the corresponding right triangle is s 2 N/M 2 . Because this area is an integer, we know 
that M 2 \s 2 N. As N is square-free, it follows that M 2 \s 2 , and by Exercise 43 in Section 
3.5, it follows that M\s. Hence, there is an integer t such that s = Mt and t A, tB, tC are 
positive integers. As s is the least common multiple of the denominators of A, B, and C, 
t must be a multiple of these denominators, and t < s; this implies that s = t and M — 1. 

We have already established the converse in our previous discussion. That is, if there 
is a positive integer s such that s 2 N is the area of a primitive right triangle with sides of 
lengths a, b, and c, then N is the area of a rational right triangle with sides of lengths 
a/s, b/s, and c/s. 
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To conclude the proof, we recall that a primitive right triangle has sides of length 
m 2 — n 2 , 2 mn, and m 2 + n 2 where m and n are relatively prime positive integers of 
opposite parity. This means that the area of this triangle is (l/2)(m 2 — n 2 )(2mn) = 
mn(m + n)(m — n). ■ 

Theorem 13.13 provides a way to find congruent numbers. More specifically, we 
take the square-free part of (m 2 — n 2 )mn as m and n run through pairs of integers m and 
n of opposite parity with m > n to generate congruent numbers. This process is begun 
in Table 13.2, which expands the table of primitive Pythagorean triples in Table 13.1 to 
include areas and the square-free part of these areas. Theorem 13.13 tell us that if N is 
a congruent number, it will show up in the last column of a row if we extend this table 
far enough. However, we may have to wait a long time before a particular square-free 
congruent number shows up; there is no way to know beforehand how long we will have 
to wait. We also note that 210 appears twice in the last column of Table 13.2. This means 
that it is the square-free part of the area of the triangles corresponding to two different 
Pythagorean triples. We will return to this observation later in this section. 

The following example illustrates the difficulty of using this approach to show that 
a positive integer is a congruent number. 

Example 13.13. The integers 5, 7, and 53 are all congruent numbers, as we will show. 
Looking at Table 13.2, we see that 5 is a congruent number, as it is the square-free part 
of the area of the primitive right triangle with sides of length 9, 40, and 41, which has 
area 180 = 6 2 5. Scaling this triangle by dividing the length of each side by 6, we obtain 
a right triangle with sides of length 9/6 = 3/2, 40/6 = 20/3, and 41/6 with area 5. 

We have not included enough rows in Table 13.2 for 7 to appear in the last column. 
However, 7 would appear if we extended the table far enough to include the values m = 16 
and n = 9, which produce a primitive right triangle with sides of length 175, 288, and 
337. The area of this triangle is 25,200 = 60 2 • 7. It follows that 7 is a congruent number; 
scaling gives us a right triangle with sides of length 175/60 = 35/12, 288/60 = 24/5, 
and 337/60 with area 7. 


m 

n 

x = m 2 — n 2 

y = 2 mn 

z = m 2 + n 2 

(m 2 — n 2 )mn 

square-free part 

2 

1 

3 

4 

5 

6 

6 

3 

2 

5 

12 

13 

30 

30 

4 

1 

15 

8 

17 

60 

15 

4 

3 

7 

24 

25 

84 

21 

5 

2 

21 

20 

29 

210 

210 

5 

4 

9 

40 

41 

180 

5 

6 

1 

35 

12 

37 

210 

210 

6 

5 

11 

60 

61 

330 

330 


Table 13.2 Some primitive Pythagorean triples and the congruent numbers they produce. 
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We also do not see 53 as an entry in the last column of Table 13.2. An extended 
version of this table would have to be huge to show that 53 is a congruent number. The 
first time 53 appears as the square-free part of the area of a primitive Pythagorean triple 
produced is for m = 1,873, 180,325 and n = 1, 158,313, 156. The area of the associated 
triangle is (297, 855, 654, 284, 978, 790) 2 • 53. ◄ 

The following theorem, proved by Fibonacci, can help find congruent numbers. It 
is also a useful tool in many proofs. 

Theorem 13.14. Suppose that a and b are relatively prime positive integers of opposite 
parity with a > b. When any three of a, b, a + b, and a — b are squares, the fourth of 
these numbers equals s 2 N where A is a congruent number and s is an integer. ■ 

Proof When a and b are relatively prime positive integers of opposite parity and a > b, 
it follows that ( a 2 — b 2 , lab, a 2 + b 2 ) is a primitive Pythagorean triple. The primitive 
right triangle corresponding to this triple has area {a 2 — b 2 )ab = (a + b)(a — b)ab. Of 
the four cases to consider, we will only consider the case when a, b, and a + b are 
squares; we leave the other three cases as an exercise. 

When a,b, and a + bare squares, it follows that ( a + b)ab is a square. Consequently, 
M = sf(a + b)ab is a positive integer and the area of the triangle corresponding to our 
Pythagorean triple is M 2 (a — b ). This means that a — b is the area of a rational right 
triangle that has legs of lengths ( a 2 — b 2 ) /M and 2 ab/M. Now let s be the least common 
multiple of the denominators of the lengths of these legs. It then follows that a — b = s 2 N 
where A is a congruent number, completing the proof in this case. ■ 

We now explain how Theorem 13.14 can be used to find congruent numbers, starting 
with primitive Pythagorean triples. If (jc, y, z) is a primitive Pythagorean triple, then 
x and y are relatively prime positive integers of opposite parity. As the reader should 
verify, this means that x 2 and y 2 are relatively prime integers of opposite parity. We also 
note that jc 2 , y 2 , and x 2 + y 2 = z 2 are all squares. By Theorem 13.14, if x 2 > y 2 , we 
see that x 2 — y 2 = s 2 N where A is a congruent number, while if jc 2 < y 2 , we see that 
y 2 — x 2 = s 2 N where A is a congruent number. The next example illustrate this process. 

Example 13.14. Starting with the Pythagorean triple (jc, y, jc) = (3, 4, 5), we can find 
a congruent number using the process we have just described. We have jc 2 = 9, y 2 = 16, 
jc 2 + y 2 = 25, y 2 — x 2 = 7. This means that 7 is a congruent number, as it is square-free. 
Similarly, beginning with the Pythagorean triple (jc, y, z) = (5, 12, 13), we have jc 2 = 25, 
y 2 = 144, jc 2 + y 2 = 169, and y 2 — x 2 = 119. We conclude that 119 is a congruent 
number, as it is square-free. ◄ 

Determining the Smallest Congruent Number 

In Examples 13.12 and 13.13, we showed that 5, 6, and 7 are congruent numbers. As we 
mentioned earlier, Fermat showed that none of 1, 2, or 3 is a congruent number. We also 
know that 4 is not a congruent number, for if 4 were a congruent number, (l/2) 2 4 = 1 
would also be one. Hence, 5 is the smallest integer that is a congruent number. 



Some Nonlinear Diophantine Equations 


We now show that no square can be a congruent number. This, of course, shows that 
1 is not a congruent number, as it is a square. We leave the proofs that 2 and 3 are not 
congruent numbers as exercises at the end of this section. 

Theorem 13.15. The area of a rational right triangle cannot be a square. ■ 

Proof. We use infinite descent to prove the theorem. To begin, suppose that there exists 
a rational right triangle with an area that is a square. By multiplying each side by the 
least common multiple of the demoninators of the sides, we obtain a integer right triangle 
with an area that is a square. When we divide the sides of the integer right triangle by 
the greatest common divisor of the lengths of its three sides, we obtain a primitive right 
triangle. So, it follows that the set 5 of primitive right triangles that have a square as their 
area is nonempty. By the well-ordering property, applied to the squares of the lengths 
of the hypotenuses of elements of 5, there is a triangle in S with hypotenuse of shortest 
length. 

Now suppose that the primitive Pythagorean triple corresponding to this triangle 
is (m 2 — n 2 , 2 mn, m 2 + n 2 ), where m and n are relatively prime positive integers of 
opposite parity and m > n. The area of this triangle is 

(m 2 — n 2 )mn = (m + n)(m — n)mn. 

As m and n are relatively prime, the reader can verify that the factors m + n,m — n,m, 
and n are pairwise relatively prime. So, because (m + n)(m — n)mn is a square, each of 
the four factors are squares. We let m + n = a 2 , m — n = b 2 , m = c 2 , and n = d 2 , where 
a,b,c, and d are integers. Note that a and b are relatively prime odd integers (as m and n 
have opposite parity), ( a 2 + b 2 )/2 = m, and the length of the hypotenuse of this triangle 
is m 2 + n 2 = c 4 + d 4 . 

Observe that 

2 d 2 = a 2 -b 2 ={a-b)(a + b). 

Note that both a — b and a + b are even (as a and b are odd) and that a common 
divisor of them divides both (a + b) + (a — b) = 2 a and (a + b) — (a — b) = 2b. Hence, 
(a — b, a + b) \ 2 {a, b) = 2, so that {a - b, a + b) = 2. This, and the equation 2d 2 = 
( a — b)(a + b), implies (as the reader should verify) that one of the two integers a — b 
and a + b is of the form 2 u 2 and the other is of the form v 2 where (u, v) = 1. 

Because 


(a + b) + (a — b) = 2a = 2 u 2 + v 2 , 

we see that v 2 must be even. Hence, v is even and v = 2 w for some positive integer 
w. Hence, t> 2 = Aw 2 and a = u 2 + 2 w 2 . Likewise, we find that b = ±(n 2 — 2 w 2 ) and 
d = 2uw. Consequently, 

m = (a 2 + b 2 )/ 2 = ((m 2 + 2 w 2 ) 2 + ( u 2 - 2w 2 ) 2 )/2 = u 4 + Aw 4 . 

It follows that (u 2 , 2 w 2 , c) is a primitive Pythagorean triple and the corresponding 
triangle has area (u 2 • 2w 2 ) /2 = (hid ) 2 and hypotenuse of length c. Because c < c 4 + d 4 
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(which follows because c is a positive integer), we have produced another primitive right 
triangle whose area is a square with a hypotenuse that is shorter than what we stated was 
the shortest hypotenuse. This completes the proof by infinite descent. ■ 

Arithmetic Progressions of Three Squares and Congruent Numbers 

We will now study a problem that is equivalent to the congruent number problem, but 
which, at first blush, does not seem to be related to it. This problem asks: Which positive 
integers are the common difference of an arithmetic progression of three squares of 
integers? For example, examining the sequence of squares 

1, 4, 9, 16, 25, 36, 49, 64, 81, 100, 121, 144, 

we observe that that 1, 25, 49 is such a sequence of three squares with common difference 
24. In his 1225 book Liber Quadratorum, Fibonacci called an integer n a congruum 
if there is an integer x such that x 2 ±n are both squares. Consequently, the integer n 
is a congruum if and only if there is an integer x such that x 2 — n, x 2 , x 2 + n is an 
arithmetic progression of three squares with common difference n. (Equivalently, n is a 
congruum if and only if there is a solution p, q, r of the two simultaneous diophantine 
equations q 2 — p 2 = N and r 2 — q 2 = N.) The word congruum comes from the Latin 
word congruere, which means to meet together, as do three squares in an arithmetic 
progression. 

Fibonacci was concerned with arithmetic progressions of three squares of nonzero 
integers. What if we broaden our study to include arithmetic progressions of three rational 
numbers? Note that a 2 , b 2 , c 2 is an arithmetic progression of three squares of rational 
numbers with common difference N if and only if (sa) 2 , (sb) 2 , (sc) 2 is a progression of 
three rational squares with common difference s 2 N whenever s is an integer. So, if we 
find an arithmetic progression of three squares with with common difference s 2 N where 
N is square-free, we can obtain an arithmetic progression of three rational squares with 
N as its common difference by dividing each term by s 2 . 

We now show that asking whether a positive integer N is a congruent number is 
the same as asking whether it is the common difference of an arithmetic progression of 
three squares. First, suppose that the positive integer N is a congruent number. Then 
there are positive integers a, b, and c such that a 2 + b 2 = c 2 and ab/2 = N. Note that 
(a + b) 2 = a 2 + 2 ab + b 2 = ( a 2 + b 2 ) + 2 ab = c 2 + 2 ab and (a — bj 2 = a 2 — 2 ab + 
b 2 = (a 2 + b 2 ) - 2 ab = c 2 — 2 ab. Consequently, (a — b) 2 , c 2 , ( a + b) 2 is an arithmetic 
progression of three squares with common difference 2 ab = 4(ab/2) = 4 N. Dividing 
all the terms of this arithmetic progression by 4 produces the arithmetic progression 
((a — b)/ 2) 2 , (c/2) 2 , ((a + b)/2) 2 . This is an arithmetic progression of three squares 
of rational numbers with common difference N. We illustrate this construction with an 
example. 

Example 13.15. In Example 13.13, we showed that 5 is a congruent number because 
it is the area of the right triangle with sides of lengths a = 3/2, b = 20/3, and c = 
41/6. Hence, ((3/2) - (20/3)/2) 2 = (31/12) 2 , ((41/6)/2) 2 = (41/12) 2 , and ((3/2) + 
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(20/3)) 2 = (49/12) 2 is an arithmetic progression of three squares with common differ- 
ence 5. ◄ 

Now suppose that we have an arithmetic progression of three squares of rational 
numbers x 2 — N, x 2 , x 2 + N. How can we construct a rational right triangle with area 
N ? If we let a = Vx 2 + N — Vx 2 — N, b = *Jx 2 + N + >/x 2 — N, and c = 2x, then 
a, b, and c are rational numbers, and we find that a 2 + b 2 = (7c 2 + N — V x 2 — N ) 2 + 
( Vx 2 + N + Vjc 2 - N ) 2 = 4x 2 = c 2 andab/2 = ( Vx 2 + N - Vx 2 — N)(Vx 2 + N + 
Vx 2 — N)/2 = ((x 2 + N) — (x 2 - N))/2 = N. Hence, iV is a congruent number. We 
illustrate this construction with an example. 

Example 13.16. We have observed that 1, 25, 49 is an arithmetic progression of three 
squares with common difference 24 = 2 2 • 6. We divide each term of this arithmetic 
progression by 2 2 = 4 to obtain the arithemtic progression 1/4, 25/4, 49/4 of three 
rational squares with common difference N = 6, which is square-free. To find a rational 
right triangle with sides of lengths a, b, and c and area 6, we use the value x 2 = 25/4 in our 
construction. This produces the right triangle with sides a, b, c where a = y/ (5/2) 2 + 6 — 
y/ (5/2)2 - 6 = V49/4 - VT74 = 7/2 -1/2 = 3, b = y/(5/2) 2 + 6 + V(5/2) 2 - 6 = 
^ 9/4 + 7174 = 7 / 2 + 1/2 = 4, and c = 2x = 2(5/2) = 5. ◄ 

We summarize our observations in the following theorem. 

Theorem 13.16. The positive integer N is a congruent number if and only if N is the 
common difference of an arithmetic progression of three squares of rational numbers. 


We have seen that the congruent number problem is equivalent to determining which 
positive integers are congruum. This equivalence is what is behind the use of the term 
“congruent number,” as the word “congruent” also comes from the Latin word congruere. 

Congruent Numbers and Elliptic Curves 

According to the definition, a positive integer A is a congruent number if there is a 
solution in positive rational numbers (a, b, c) to the simultaneous pair of diophantine 
equations a 2 + b 2 = c 2 and ab/2 = N. We have also seen that A is a congruent number 
if there is a solution in rational numbers (r, s, t) to the simultaneous pair of diophan- 
tine equations s 2 — r 2 = N and t 2 — s 2 = N. However, there is a third condition that 
characterizes congruent numbers in terms of rational solutions of a single diophantine 
equation. 

Suppose that A is a congruent number and that a, b, and c are positive rational 
numbers with a 2 + b 2 = c 2 and ab/2 = N . We will show that the triple (a, b, c) cor- 
responds to a rational point on a certain curve. To find this curve and to set up the 
correspondence, first set u = c — a, so that c = a + u. We note that u > 0, because 
b 2 = c 2 — a 2 = (c + a)(c — a) = (c + a)u. Next, we substitute a + u for c in the equa- 
tion a 2 + b 2 = c 2 , which gives us a 2 + b 2 = a 2 + 2au + u 2 . We now simplify and re- 
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arrange terms to see that 2 au = b 2 — u 2 . Next, we divide both sides of the equation 
ab/2 = N by b (note that b ^ 0 because ab = 2 N) to see that a = 2 N/b. When we 
substitute 2 N/b for a in the equation 2 au = b 2 — u 2 , we obtain 

4 nu/b = b 2 — u 2 . 

We then multiply both sides of this last equation by b/u 3 (note that u ^ 0; if u = 0, then 
a = c, which would imply that b = 0) to obtain 

4 N/u 2 = ( b/u) 3 - ( b/u ). 

Next, we multiply both sides by N 3 , yielding 

(2 N 2 /u) 2 = ( Nb/u ) 3 - N 2 (Nb/u). 

We can now conclude that the point (x, y) where x = Nb/u = Nb/(c — a) and y = 
2 N 2 /u = 2N 2 /(c — a) lies on the curve 

y 2 = x 3 - N 2 x 

with both x and y positive because c — a > 0. 

Now suppose that (x , y) is a rational point on the curve y 2 = x 3 — N 2 x . We will find 
a triple of positive rational numbers (a, b, c ) with a 2 + b 2 = c 2 and ab/2 = N . Observe 
that if a, b, and c are rational numbers with x = Nb/(c — a) and y = 2 JV 2 /(c — a), then 

x/y = C Nb/ic - a))/(2N 2 /{c - a)) = b/2N. 

So, we take b = 2 Nx/y. Because we want ab/2 = N, it follows that a = 2 N/b. This 
tells to take 

a = 2N/(2Nx/y) = y/2x = y 2 / 2xy = (. x 3 - N 2 x)/2xy = (x 2 - N 2 )/y. 

We see, after simplification, that 

a 2 + b 2 = ((x 2 - N 2 )/y) 2 + (2 Nx/y) 2 = (x 2 + N 2 ) 2 /y 2 . 

Taking the positive square root, we find that we should take c = (x 2 + N 2 )/y. 

We now summarize what we have shown. 

Theorem 13.17. Suppose that N is a congruent number. Then there is a bijection 
between the set of triples of positive rational numbers (a, b, c) with a 2 + b 2 = c 2 
and ab/2 = N and rational points (x, y) with x and y both positive on the curve 
y 2 = x 3 — N 2 x. Under this bijection, the triple (a, b, c ) is mapped to the point (x, y) 
where 

_ Nb _ 2 N 2 
c — a' c — a 

and the point (x, y) on the curve y 2 = x 3 — N 2 x is mapped to the triple (a, b, c ) where 

x 2 — N 2 , 2 Nx x 2 + N 2 

, b = , c = . 

y y y 


a = 
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The next theorem is an immediate consequence of Theorem 13.17. 

Theorem 13.18. The positive integer iV is a congruent number if and only if there is a 
rational point (x, y) with both x and y positive on the curve y 2 = x 3 — N 2 x. u 

The next two examples illustrate how to use Theorem 13.17. 

Example 13.17. The primitive right triangle with sides 3, 4, and 5 has area N = 6. 
Under the correspondence in Theorem 13.17, the triple (3, 4, 5) corresponds to the point 
(x, y) = ((6 • 4)/(5 - 3), (2 • 6 2 )/(5 - 3)) = (12, 36) on the curve y 2 = x 3 — 6 2 x = 
x 3 - 36x. ◄ 

Example 13.18. Table 13.2 shows us that 210 is the area of a right triangle with 
sides of length 21, 20, and 29 and the area of a right triangle with sides of length 35, 
12, and 37. By Theorem 13.17, we know that these two rational right triangles each 
correspond to rational points on the curve y 2 = x 3 — 210 2 x. Under the correspondence 
in this theorem, (21, 20, 29) is mapped to the point (x, y) = ((210 • 20)/(29 — 21), (2 • 
210 2 )/(29 - 21)) = (525, 11025) and (35, 12, 37) is mapped to the point (x, y) = 
((210 • 12)/ (37 - 35), (2 ■ 210 2 )/(37 - 35)) = (1260, 44100). ◄ 

Curves of the form y 2 = x 3 — N 2 x that have arisen in our study of congruent 
numbers are examples of elliptic curves. More generally, an elliptic curve is the set of 
points (x, y) that satisfy y 2 = x 3 + ax + b where a and b are real numbers. Elliptic 
curves played an essential and surprising role in the proof of Fermat’s last theorem. 
Elliptic curves are also the basis of a powerful factorization method. Furthermore, there 
is an important public key cryptosystem based on elliptic curves. We will only briefly 
address some of the properties of elliptic curves here. The study of elliptic curves is 
fascinating and leads to many unsettled conjectures which have important consequences. 
The interested reader can learn much more about elliptic curves by consulting [Wa08]. 

Adding Points on an Elliptic Curve A key feature of elliptic curves is that we can 
use algebraic techniques to construct new points on them using points we already know. 
In particular, given two points on an elliptic curve C, we can find a new point on C 
by computing their sum, where this sum is defined using the geometry of the curve, as 
explained below. (As we shall see, this sum is different from the point whose coordinates 
are the sums of the respective coordinates of the two points). To see how we define this 
sum, suppose that P\ = (x 1? yj) and P 2 = (x 2 , y 2 ) with X] ^ x 2 are two points on the 
elliptic curve y 2 = x 3 + ax + b. To define their sum P\ + P 2 geometrically, we draw 
the line l connecting P\ and P 2 . We will show that this line intersects G in a third point 
Py The sum P\ + P 2 is then defined to be the point P 3 , which is obtained from P^ by 
changing the sign of the y-coordinate. Geometrically, this corresponds to reflecting P^ 
across the x-axis. (A key reason for defining the sum this way is to make it associative; 
see [Wa08].) We illustrate this procedure in Figure 13.2. 

To develop an algebraic formula for P 3 = P l + P 2 , first note that the slope of 
the line i through P\ and P 2 is m = (y 2 — yi)/(x 2 — xj) and that the equation of l is 
y = m(x — xj) + yi- To determine the third point of intersection of l and G (P\ and 
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Figure 13.2 Addition of two points with distinct x-coordinates on an elliptic curve. 

P 2 are the other two points of intersection), we substitute the value for y given by the 
equation of t into the equation for C. This gives us 

(m(x - *!) + y : ) 2 = x 3 + ax + b. 

From this equation, we see that if the point (x, y) is a point of intersection of t and 
C, then x is a root of a cubic equation for x, obtained by subtacting the left-hand 
side of the last displayed equation from the right-hand side. Hence, the coefficient of 
x 2 in this cubic equation is — m 2 . Now, recall that if r h r 2 , and r 3 are the roots of a 
cubic polynomial x 3 + a 2 x 2 + aqx + a 0 , then jq + r 2 + r 3 = —a 2 . Our third point of 
intersection of l and C is = ( — jc 3 , y 3 ) . Consequently, we know that x± + x 2 — x 3 = m 2 , 
so that jc 3 = m 2 - xj - x 2 . It follows that y 3 = m(x x - x 3 ) - y h 

We now consider the case when when Pi = P 2 . Note that as P 2 approaches Pi 
on C, the line between P 2 and Pi approaches the tangent line to C at P\. To define 
Pi + P 2 = 2 Pi, we first draw the tangent line l to C at P\. This line intersects the curve 
in a point P'. We change the sign of the y -coordinate to produce the point P 3 . (We can 
use implicit differentiation to find the slope of C at the point P^) We leave it to reader to 
complete the details of this case; the resulting algebraic formula is given in the statement 
of the next theorem. 

Before we give a formula for the sum of two points Pi and P 2 on an elliptic curve 
that includes all possible cases, we need to introduce the point at infinity, denoted by 
oo. This point can be thought of as a point sitting both on top and at the bottom of the 
y-axis. For example, when x\ = x 2 and yj ^ y 2 , t is a vertical line that is considered to 
intersect the elliptic curve at oo. When we reflect this point across the x-axis, we obtain 
this same point oo. 

We can define the sum of two points on an elliptic curve for all possible values of 
these points. 
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Definition. Addition Formula for Elliptic Curves. Suppose that P] = (x ls y^ and 
P-i = (x 2 , yi) are points on the elliptic curve y 2 = x 3 + ax + b. 

(i) When P\ P 2 and neither is the point at infinity, if x x ^ x 2 , define 

Pi+ Pi = (m 2 ~ x i~ x 2> m ( x i ~ * 3 ) ~ yi) 

where m = (y 2 — y\)/(x 2 — Xj) and if Xj = x 2 , but yj ^ y 2 , define 

P\ + Pi = 00 ■ 


(ii) When P\ = P 2 is not the point at infinity, if yj = y 2 7 ^ 0, define 
Pi + P 2 = 2 Pi = (m 2 - 2x b m(xi - x 3 ) - y^ 
where m = (3x 2 + a)/2y 1 and define 

Pi + P 2 = 00 


if yi = y 2 = 0 . 

(iii) Finally, define 

P +00 = P 

for all points P on the elliptic curve (including 00 ). 

Addition of points on an elliptic curve, as we have defined it, satisfies commutativity, 
Pi + P 2 = P 2 + Pi for all points Pi and P 2 , existence of identity, P + 00 = P for 
all points P ‘, existence of inverses, for all points P, there exists a point P' such that 
P + P' = 00 ; and associativity, (Pi + P 2 ) + P 3 = Pi + (P 2 + P 3 ) for all points P h P 2 , 
and P 3 . (See [Wa08] for proofs of these properties.) 

Note that given two distinct rational points Pj and P 2 on an elliptic curve, their sum 
is again a rational point, as the reader should verify from the definition. Similarly, given a 
rational point P on an elliptic curve, its algebraic double 2 P, and all points of the form 
kP, where k is a positive integer, are also rational points on this curve. Hence, when 
we know one or more rational points on the elliptic curve y 2 = x 3 — N 2 x where N is 
a positive integer, we can use addition of points to construct other rational points. Each 
rational point we find corresponds to a rational right triangle with area N. 

The following example shows how to use algebraic doubling to find additional right 
triangles with a given area. 


Example 13.19. In Example 13.17, we found the rational point P = (x, y) = (12, 36) 
on the elliptic curve y 2 = x 3 — 36x corresponding to the rational right triangle with sides 
3, 4, 5. We can find another rational right triangle with area 6 by finding the rational right 
triangle that corresponds to 2 P, the algebraic double of (12, 36) on this elliptic curve. 

To compute 2 P, we first find the slope of the tangent line i to the curve at (12, 36). 
This slope is m = (3 • 12 2 - 36)/(2 • 36) = 11/2. We use the value of the slope to find 
that Xi = m 2 - 2xi = (11/2 ) 2 - 2 • 12 = 25/4. Next, we use the value of Xj to find 
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that m(;q - x 3 ) - y l= 11/2(12 - 25/4) - 36 = 11/2 • 23/4 - 36 = 253/8 - 288/8 = 
-35/8. This means that 2P = (25/4, -35/8). 

To use the correspondence in Theorem 13.17, we want a point with positive y- 
coordinate. Note that we can change the sign of the ^-coordinate to get the point 
(25/4, 35/8) on the curve. By Theorem 13.17, we find that the triple (a, b, c ) correspond- 
ing to (25/4, 35/8) has a = ((25/4) 2 - 36)/(35/8) = 7/10, b = ( 2 • 6 • 25/4)/(35/8) = 
120/7, and c = ((25/4) 2 + (35/8) 2 )/(35/8) = 1201/70. It follows that that the rational 
right triangle with sides of length 7/10, 120/7, and 1201/70 also has area 6. This pro- 
cedure can be iterated to find additional rational right triangles with area 6 (see Exercise 
6 in the Computations and Explorations). ◄ 

Using the doubling formula illustrated in Example 13.19, it can be shown that when 
A is a congruent number, there are infinitely many different rational triangles with area 
N. A proof of this result, using properties of rational points on elliptic curves beyond 
the scope of this book, can be found in [Ch06]. 

The next example shows how to use the two rational right triangles with area N to 
find additional rational right triangles with the same area. 

Example 13.20. In Example 1 3 . 1 8 , we found two rational points on the elliptic curve 
y 2 = x 3 — 210 2 jc. These points are P\ = (525, 1 1025), which corresponds to the rational 
right triangle with side lengths 21, 20, and 29, and P 2 = (1260, 44100), which corre- 
sponds to the rational right triangle with side lengths 35, 12, and 37. We can find another 
rational right triangle with area 2 10 by computing P\ + P 2 . To find this sum, first note that 
m = (44100 - 11025)/(1260 — 525) = 45. Consequently, x 3 = m 2 — x x — x 2 = 45 2 — 
525 - 1260 = 240 and y 3 = m(x, - x 3 ) - y, = 45(525 - 240) - 11025 = 1800. We find 
that P x + P 2 = (240, 1800). 

By Theorem 13.17, (240, 1800) corresponds to the triple ( a , b, c ) with a = (240 2 - 
210 2 )/1800 = (57600 - 44100)/1800 = 15/2, b = 2 • 210 ■ 240/1800 = 56, and c = 
(240 2 + 210 2 )/1800 = 113/2. This means that the rational right triangle with sides of 
length 15/2, 56, and 1 13/2 also has area 210. ◄ 

An Algorithm for Congruent Numbers We conclude this section with an efficient 
algorithm for determining whether a positive integer is a congruent number. Unfortu- 
nately, it is not yet known whether this algorithm always yield the correct answer. This 
algorithm is based on a theorem proved in 1983 by Jerrold Tunnell in [Tu83], The proof 
of this theorem is based on deep results about elliptic curves and modular forms and is 
beyond the scope of this book (see [Ko96] for a proof). 

Theorem 13.19. TunnelVs Theorem. Let A n , B n ,C n , and D n , where n is a positive 
integer, be the number of solutions in integers x, y, z of the equations n = 2x 2 + 
y 2 + 32 z 2 , n = 2x 2 + y 2 + 8 z 2 , n = 8x 2 + 2y 2 + 64z 2 , and n = 8x 2 + 2y 2 + 16z 2 , 
respectively. If n is a congruent number, then if n is odd, A n = B n /2, and if n is 
even, C n = D n /2. Conversely, under the assumption that the Birch-Swinnerton Dyer 
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conjecture holds, if n is odd and A n = B n /2 or if n is even and C n = D n /2, then n is a 
congruent number. ■ 

To use Tunnell’s theorem to determine whether a postive integer is a congruent 
number, we find A n , B n , C n , and D n and check the appropriate equality. This can be 
done efficiently because these quantities can be found quickly by brute force. Tunnell’s 
theorem can tell us that an integer is not a congruent number, but it cannot itself tell us 
with certainty that an integer is a congruent number. Of course, this uncertainty would be 
removed if the Birch-Swinnerton Dyer conjecture were proved. The following example 
illustrate the use of Tunnell’s theorem. 

Example 13.21. Tunnell’s theorem can confirm Fermat’s result that 3 is not a congruent 
number. We note that A 3 = 4 and B 3 = 4, as the solution in integers of both 3 = 2x 2 + 
y 2 + 32 z 2 and 3 = 2x 2 + y 2 + 8z 2 are x = ±1, y = ±1, z = 0. Because A 3 ^ B 3 /2, it 
follows that 3 is not a congruent number. 

The conjectural part of Tunnell’s theorem predicts that 34 is a congruent number. 
To see this, note that C 34 = 4 because the solutions in integers x, y, z of 34 = 8x 2 + 
2 y 2 + 64 z 2 are x = ±2, y = ±1, z = 0 and D 34 = 8 because the solutions in integers 
x, y, z of 34 = 8x 2 + 2 y 2 + 16 z 2 are x = ±2, y = ±1, z = 0, and x = ±0, y = ±3, 
z = ±1. Hence, C 34 = D34/2. So, under the assumption that the Birch-Swinnerton Dyer 
conjecture holds, it follows that 34 is a congruent number. We leave it to the reader 
to confirm this by finding a rational right triangle with area 34. (See Exercise 2 in the 
Computations and Explorations). ◄ 


13.5 Exercises 

1. Show that the area of a primitive Pythagorean triangle is even. 

2. Find the congruent numbers that appear in the last column of an extended version of Table 

13.2 that includes rows corresponding to m = 7 and n = 2, 4, 6. 

3. Find the congruent numbers that appear in the last column of an extended version of Table 

13.2 that includes rows corresponding to m = 8 and n = 1, 3, 5, 7. 

4. Find the congruent numbers that appear in the last column of an extended version of Table 

13.2 that includes rows corresponding to m = 9 and n = 2, 4, 8. 

5. Find the square-free congruent number corresponding to the area of the primitive right triangle 
corresponding to these Pythagorean triples. 

a) (15, 8, 17) b) (7, 24, 25) c) (21, 20, 29) d) (9, 40, 41) 

6 . Find the square-free congruent number corresponding to the area of the primitive right triangle 
corresponding to these Pythagorean triples. 

a) (35, 12, 37) b) (1 1, 60, 61) c) (45, 28, 53) d) (33, 56, 65) 

7. Show that there are infinitely many different congruent numbers. 

8. Complete the proof of Theorem 1 3. 14 by dealing with the three cases not addressed in the 
text. 
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9. Use the fact that 1 is not a congruent number to show that a/2 is not rational. (Hint: Consider 
the right triangle with two legs of length a/2.) 

10. Use the fact that 2 is not a congruent number to show that a/2 is not rational. (Hint: Consider 
the right triangle with two legs of length 2.) 

* 11. Use the method of infinite descent to show that no integer that is twice a square is a congruent 
number. 

* * 12. Prove that 3 is not a congruent number. (Hint: Use Theorem 13.14. Three of the four cases 
are straightforward, but the fourth is quite complicated.) 

13. Explain why these integers cannot be the common difference of an arithmetic progression of 
three squares. 

a) 1 b) 8 c) 25 d)48 

14. Explain why these integers cannot be the common difference of an arithmetic progression of 
three squares. 

a) 2 b) 9 c) 32 d) 300 

15. Find a rational number such that r 2 ± 7 are both squares of rational numbers. 

16. Find a rational number such that r 2 ± 15 are both squares of rational numbers. 

17. Construct a right triangle with rational sides with area 21 starting with the arithmetic pro- 
gression of three squares 289, 625, 961 with common difference 336. 

18. Construct a right triangle with rational sides with area 210 starting with the arithmetic 
progression of three squares 529, 1369, 2209 with common difference 840. 

19. In this exercise, we show that finding all arithmetic progressions of three rational squares is 
equivalent to finding all rational points on the circle x 2 + y 2 = 2. (See Exercise 2 1 in Section 
13.1 for a parameterization of these points.) 

a) Show that if a 2 , b 2 , c 2 is an arithmetic progression of positive integers, then (a/b, c/b) is 
a rational point on the circle x 2 + y 2 = 2. 

b) Show that if x 2 + y 2 = 2, where x and y are rational, and t is a nonzero integer, then (tx) 2 , 
t 2 , ( ty ) 2 is a progression of three rational squares. 

20. Use the mapping in Theorem 13.17 to find the rational point on the elliptic curve y 2 = 
x 3 — 25x corresponding to the rational right triangle with sides of lengths 3/2, 20/3, and 
41/6. 

21. Use the mapping in Theorem 13.17 to find the rational point on the elliptic curve y 2 = 
x 3 - 49x corresponding to the rational right triangle with sides of length 35/12, 24/5, and 
337/60. 

22. Show that there are no rational points (x, y) with x and y positive on the elliptic curve 
y 2 = x 3 — x. (Hint: Use the fact that 1 is not a congruent number.) 

23. Show that there are no rational points (x, y) with x and y positive on the elliptic curve 
y 2 = x 3 — 4x. (Hint: Use the fact that 2 is not a congruent number.) 

24. Complete the derivation of the algebraic doubling formula for a point on an elliptic curve. 

25. Use algebraic doubling, starting with the point on the elliptic curve y 2 = x 3 — 25x found in 
Exercise 20, to find a rational right triangle with area 5 different than the one with sides of 
length 3/2, 20/3, and 41/6. 
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26. Use algebraic doubling, starting with the point on the elliptic curve y 2 = jc 3 — 49jc found in 
Exercise 21, to find a rational right triangle with area 7 different than the one with sides of 
length 35/12, 24/5, and 337/60. 

27. Add the points (12, 36) and (25/4, -35/8) on the elliptic curve y 2 = x 3 - 36x, and use 
Theorem 13.17 to find a rational right triangle with area 6 different from the ones with side 
lengths of 3,4, and 5 and 7/10, 120/7, and 1201/70. 

28. Add the points (240, 1800) and (1260, 44100) on the elliptic curve y 2 = jc 3 — 210*, and 
use Theorem 13.17 to find a rational right triangle with area 210 different from the three 
mentioned in Example 13.20. 

29. Find two arithmetic progressions of three rational squares with common difference 6 other 
than the arithmetic progression (1/2) 2 , (5/2) 2 , (7/2) 2 . 

30. Find two different arithmetic progressions of three rational squares with common differ- 
ence 21. 

31. Use Tunnell’s theorem to show that these integers are not congruent numbers, 

a) 1 b) 10 c) 17 

32. Use Tunnell’s theorem to show that these integers are not congruent numbers, 

a) 2 b) 10 c) 126 

33. Assuming the Birch-Swinnerton Dyer conjecture, use Tunnell’s theorem to show that 41 is a 
congruent number. 

34. Assuming the Birch-Swinerton Dyer conjecture, use TunnelTs theorem to show that 157 is a 
congruent number. 

35. Euler conjectured, but did not prove, that if n is a square-free positive integer and n = 5, 6 or 
7 (mod 8), then n is a congruent number. Assuming the Birch-Swinnterton Dyer conjecture, 
use Tunnell’s theorem to prove this conjecture. 

A triangle is called a Heron triangle if the lengths of its sides and its area are all rational. These 
triangles are named after Heron of Alexandria, who showed that the area of a triangle with sides 
of length a, b, c is *Js(s — a)(s — b)(s — c) where s = (a + b + c)/ 2. Recall that if 9 is the angle 
formed by the sides of length a and b, then the area equals ab sin 9/2. Also recall that by the law 
of cosines, c 2 = a 2 + b 2 — lab cos 9. 

36. Show that if a triangle has sides of length 13, 14, 15, then it is a Heron triangle. 

* 37. Show that if n is positive integer, then there is a Heron triangle of area n. (Hint: Glue 
together two triangles with sides of length 2, \r — (l/r)|, |s — (l/s)| where r = 2 n/(n — 2) 
and s = (n — 2)/4, and scale the triangle appropriately.) 

38. Show that if a Heron triangle has side lengths x, y, z, and the angle between the sides of 
length x and y is 9, then cos 9 and sin 9 are rational numbers and the point (sin 9, cos 9) is 
a rational number t such that sin 9 = and cos 9 = 

We call an integer a t -congruent number if there are rational numbers a, b, c such that ab(-^-^) = 
In and a 2 + b 2 = 2afe(^y) = c 2 . (When t = 1, a t-congruent number is the same as a congruent 
number.) 

39. a) Suppose that t is a rational number. Show that a positive integer n is a t-congruent number 

if and only if both n/t and t 2 + 1 are rational squares or if there is a rational point (x, y) 
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with y 0 on the curve y 2 = (x — j)(x + nt). (Hint: Show that if a, b, and c satisfy the 
equations in the definition and b^c, then (a 2 /4, ( ab 2 — ac 2 )/ 8) lies on this curve. When 
(jc, y) lies on the curve and y # 0, let a = \(x 2 + y 2 )/y |, b=\(x - (n/t))(x + nt)/y\\ 
and when y = 0, let a = 2-s/n/t, b = c = j n(t 2 + 1 )/t.) 

b) Show that the point (-6, 30) lies on the curve y 2 = (x — f)(x + nt) when n = 12 and 
t = 4/3. 

c) Use part (a) to show that 12 is a 4/3 -congruent number and find the lengths of the sides 
and die area of a triangle with rational side lengths and area 12. 

d) Conclude from Exercise 31 that if n is a positive integer, then there is a rational number 
t such that n is a t-congruent number. 

40. This exercise introduces another problem that can be solved by finding rational points on 
an elliptic curve. Consider a collection of balls arranged in a square pyramid with x square 
layers, with one ball in the top layer, four in the layer below that, and so on, with x 2 in the 
bottom layer. 

a) Show that we can rearrange the balls in the pyramid into a single square of side y if and 
only if there is a positive integer solution (jc, y) to y 2 = x(x 4- \)(2x + 1) /6. 

b) Show that if 1 < jc < 10, it is possible to arrange the balls into a square pyramid only when 
x = l. 

c) Show that both (0, 0) and (1, 1) lie on the curve y 2 = jc (jc + 1) (2jc + l)/6. Find the sum 
of (0, 0) and (1, 1) on this curve. 

d) Find sum of the point you found in part (c) and (1, 1) . Show that this sum leads to a positive 
integer solution. 

Computations and Explorations 

1. Extend Table 13.2 to include rows for every pair of integers m and n of opposite parity with 
50 >n>m. 

2. Show that 34 is a congruent number by finding a Pythagorean triple such that the square-free 
part of the area of the corresponding triangle is 34. 

3. Show that 39 is a congruent number by finding a Pythagorean triple such that the square-free 
part of the area of the corresponding triangle is 39. 

4. Find the rational point on the elliptic curve y 2 = x 3 — 53 2 x corresponding to the primitive 
Pythagorean triple a = m 2 - n 2 , b = 2 mn, c = m 2 + n 2 with m = 1,873,180,325 and n = 
1,158,313,156. 

5. Find as many arithmetic progressions of three squares as you can by examining the sequence 
of squares of integers. 

6. Find as many different rational right triangles as you can with area 6 by successive algebraic 
doubling of points on the elliptic curve y 2 = x 3 - 36x. 

7. Find as many different rational right triangles as you can with area 2 10 by successive algebraic 
doubling of points on the elliptic curve y 2 = x 3 - 210 2 jc. 

8. Use the fact that (111, 6160, 6161), (231, 2960, 2969), (518, 1320, 1418), and (280, 2442, 
2458) are four Pythagorean triples each corresponding to a right triangle with area 341,880 = 
2 2 • 170,940 to find four different rational points on the elliptic curve y 2 = x 3 — 170,940 2 jc. 
By adding pairs of these points, find additional rational right triangles with area 170,940. 
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Programming Projects 

1. Given a positive integer U, extend Table 13.2 to include rows for every pair of integers m 
and n of opposite parity with U >m > n. 

2. Given an elliptic curve y 2 = x 3 + ax + b and two points on this curve, find the sum of these 
points. 

3. Given the side lengths of a rational right triangle with area N, find the associated point on the 
elliptic curve y 2 = x 3 — N 2 x. Then use algebraic doubling to find additional rational points 
on the curve and the associated rational right triangles with area N. 




The Gaussian Integers 


I n previous chapters, we studied properties of the set of integers. A particularly appeal- 
ing aspect of number theory is that many basic properties of the integers relating to 
divisibility, primality, and factorization can be carried over to other sets of numbers. In 
this chapter, we study the set of Gaussian integers, numbers of the form a + bi, where 
a and b are integers and i = v / — T- We introduce the concept of divisibility for Gaussian 
integers, and establish a version of the division algorithm for them. We describe what it 
means for a Gaussian integer to be prime, and develop the notion of greatest common 
divisors for pairs of Gaussian integers. Moreover, we show that Gaussian integers can 
be written uniquely as the product of Gaussian primes (taking into account a few minor 
details). Finally, we show how to use the Gaussian integers to determine how many ways 
a positive integer can be written as the sum of two squares. The material in this chapter 
is a small step into the world of algebraic number theory, the branch of number theory 
devoted to the study of algebraic numbers and their properties. Students continuing their 
study of number theory will find this fairly concrete treatment of the Gaussian integers 
a useful bridge to more advanced studies. Excellent references for the study of algebraic 
number theory include [A1W103], [Mo99], [Po99], and [RiOl]. 


14.1 Gaussian Integers and Gaussian Primes 

In this chapter, we extend our study of number theory into the realm of complex numbers. 
We begin with a brief review of the basic properties of the complex numbers for those 
who have either never seen this material or need a brief refresher. 

The complex numbers are the numbers of the form x + yi , where i = V—l- Complex 
numbers can be added, subtracted, multiplied, and divided, according to the following 
rule: 

( a + bi ) + (c + di ) = (a + c) + (b + d)i 

(a + bi) - (c + di) = (a - c) + (b - d)i 

(a + bi)(c + di) — ac + adi + bci + bdi 2 = ( ac - bd) + (ad + bc)i 

a + bi a + bi c — di ac + bd (—ad + bc)i 

c + di c T di c — di c 2 + d 2 c 2 + d 2 
Note that addition and multiplication of complex numbers are commutative. 

We use the absolute value of an integer to describe the size of this integer. For 
complex numbers, there are several commonly used ways to describe the size of numbers. 
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Definition. If z = x + iy is a complex number, then |z|, the absolute value of z, equals 
\z\ = y/x 2 + y 2 , 

and N(z), the norm of z, equals 

| z| 2 = * 2 + /- 

Given a complex number, we can form another complex number with the same 
absolute value and norm by changing the sign of the imaginary part of the number. 

Definition. The conjugate of the complex number z = a + bi, denoted by z, is the 
complex number* — iy. 

Note that if w and z are two complex numbers, then the conjugate of wz is the product 
of the conjugates of w and z. That is, (wz) = (w)(z). Also note that if z = x + iy is a 
complex number, then 

zz = (x + iy)(x - iy) =x 2 + y 2 = N(z). 

Next, we prove some useful properties of norms. 

Theorem 14.1. The norm function N from the set of complex numbers to the set of 
nonnegative real numbers satisfies the following properties. 

(i) N(z) is a nonnegative real number for all complex numbers z. 

(ii) N(zw) = N(z)N(w) for all complex numbers z and w. 

(iii) N(z) = 0 if and only if z = 0. 

Proof. To prove (i), suppose that z is a complex number. Then z=x + iy, where * and 
y are real numbers. It follows that N(z) = x 2 + y 2 is a nonnegative real number because 
both x 2 and y 2 are nonnegalive real numbers. 

To prove (ii), note that 

N(zw) = ( zw)(zw ) = (zw)(zw) = (zz)(ww) = N(z)N(w), 
whenever z and w are complex numbers. 

To prove (iii), note that 0 = 0 + Oi , so that N (0) = 0 2 + 0 2 = 0. Conversely, suppose 
that N(x + iy) = 0, where * and y are integers. Then x 2 + y 2 = 0, which implies that 
* = 0 and y = 0 because both x 2 and y 2 are nonnegative. Hence, * + iy = 0 + i'O = 0. 


Gaussian Integers 

In previous chapters, we generally restricted ourselves to the rational numbers and 
integers. An important branch of number theory, called algebraic number theory, extends 
the theory we have developed for the integers to particular sets of algebraic integers. 
By an algebraic integer, we mean a root of a monic polynomial (that is, with leading 
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coefficient 1) with integer coefficients. We now introduce the particular set of algebraic 
integers we will study in this chapter. 

Definition. Complex numbers of the form a +bi, where a and b are integers, are called 
Gaussian integers. The set of all Gaussian integers is denoted by Z[i]. 

Note that ify—a+biisa Gaussian integer, then it is an algebraic integer satisfying 
the equation 

y 2 — 2ay + (a 2 + b 2 ) = 0, 

as the reader should verify. Because y satisfies a monic polynomial with integer coeffi- 
cients of degree two, it is called a quadratic irrationality. Conversely, note that if a is 
a number of the form r + si, where r and s are rational numbers and or is a root of a 
monic quadratic polynomial with integer coefficients, then a is a Gaussian integer (see 
Exercise 22.) The Gaussian integers are named after the great German mathematician 
Carl Friedrich Gauss, who was the first to extensively study their properties. 

The usual convention is to use Greek letters, such as a, /J, y, and S, to denote 
Gaussian integers. Note that if n is an integer, then n = n + Oi is also a Gaussian integer. 
We call an integer n a rational integer when we are discussing Gaussian integers. 

The Gaussian integers are closed under addition, subtraction, and multiplication, as 
the following theorem shows. 

Theorem 14.2. Suppose that a = x + iy and f = w + iz are Gaussian integers, where 
x, y, w, and z are rational integers. Then a + fl, a — fi, and aft are all Gaussian integers. 

Proof. We have a + fi = (x + iy) + (w + iz) = (x + w) + i(y + z), a - fi = 
(x -I- iy) - (w + iz) = (x -w) + i(y - z), andajfl = (x + iy)(w + iz) = xw + iyw + 
ixz + i 2 yz = (xw — yz) + i(yw + xz). Because the rational integers are closed under 
addition, subtraction, and multiplication, it follows that each of a + fi, a - fi, and af 
are Gaussian integers. ■ 

Although the Gaussian integers are closed under addition, subtraction, and multipli- 
cation, they are not closed under division, which is also the case for the rational integers. 
Also, note that if a = a + bi is a Gaussian integer, then N(a) = a 2 + b 2 is a nonnegative 
rational integer. 


Divisibility of Gaussian Integers 

We can study the set of Gaussian integers much as we have studied the set of rational 
integers. There are straightforward analogies to many of the basic properties of the 
integers for the Gaussian integers. To develop these properties for the Gaussian integers, 
we need to introduce some concepts for the Gaussian integers analogous to those for the 
ordinary integers. In particular, we need to define what it means for a Gaussian integer 
to divide another. Later, we will define Gaussian primes, greatest common divisors of 
pairs of Gaussian integers, and other important notions. 
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Definition. Suppose that a and yS are Gaussian integers. We say that a divides fi if there 
exists a Gaussian integer y such that yS = ay. If a divides yS, we write a | yS, whereas if 
a does not divide fi, we write a / fi. 

Example 14.1. We see that 2 — i | 13 + i because 

(2-i)(5 + 3i) = 13 + i. 

However, 3 + 2i / 6 + 5i because 

6 + 5/ (6 + 5/ ) (3 - 2 i) _ 28 + 3i _ 28 3 i 

3 + 2/ ~ (3 + 2/)(3 - 20 ~~ 13 “ 13 + 13’ 

which is not a Gaussian integer. ◄ 

Example 14.2. We see that — i | ( a + bi) for all Gaussian integers a + bi because 
a + bi = —i(—b + ai), whenever a and b are integers. The only other Gaussian integers 
that divide all other Gaussian integers are 1, — 1, and i . We will see why this is fue later 
in this section. ◄ 

Example 14.3. The Gaussian integers divisible by the Gaussian integer 3 + 2 i are the 
numbers (3 + 2i)(a + ib), where a and b are integers. Note that (3 + 2i)(a + ib) = 
3 a + 2i a + 3 ib + 2 i 2 b = (3 a - 2b) + i (2a + 3b). We display these Gaussian integers 
in Figure 14.1. ◄ 



Figure 14.1 The Gaussian integers divisible by 3 + 2 i. 
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Divisibility in the Gaussian integers satisfies many of the same properties satisfied 
by divisibility of rational integers. For example, if a, ft, and y are Gaussian integers 
and a \ ft and ft \ y, then a | y. Furthermore, if a, ft, y, v, and yt are Gaussian integers 
and y \ a and y \ ft, then y \ (yea + v ft). We leave it to the reader to verify that these 
properties hold. 

In the integers, there are exactly two integers that are divisors of the integer 1, 
namely, 1 and —1. We now determine which Gaussian integers are divisors of 1. We 
begin with a definition. 

Definition. A Gaussian integer e is called a unit if e divides 1. When e is a unit, ea is 
an associate of the Gaussian integer a 

We now characterize which Gaussian integers are units in a way that will make them 
easy to find. 

Theorem 14.3. A Gaussian integer e is a unit if and only if N(e) = 1. 

Proof. First suppose that e is a unit. Then there a Gaussian integer v such that ev = 1. 
By part (ii) of Theorem 14.1, it follows that N(ev) = N(e)N(v) — 1. Because e and 
v are Gaussian integers, both N(e) and A(v) are positive integers. It follows that 
N(e) = N(v) = 1. 

Conversely, suppose that N(e) = 1. Then e? = N(e) = 1. It follows that e | 1 and e 
is a unit. ■ 

We now determine which Gaussian integers are units. 

Theorem 14.4. The Gaussian integers that are units are 1, — 1, i, and — i. 

Proof. By Theorem 14.3, the Gaussian integer e = a + bi is a unit if and only if 
N(e ) = 1. Because N(e) = N(a + bi) = a 2 + b 2 , € is a unit if and only if a 2 + b 2 = 1. 
Because a and b are rational integers, we can conclude that e = a + bi is a unit if and 
only if (a, b) = (1, 0), (-1, 0), (0, 1), or (0, -1). It follows that e is a unit if and only 
if € = 1, —1, i, or — i. ■ 

Now that we know which Gaussian integers are units, we see that the associates of 
a Gaussian integer ft are the four Gaussian integers ft, —ft, ift, and —ift. 

Example 14.4. The associates of the Gaussian integer — 2 + 3i are — 2 + 3i, — (— 2 + 
3i) = 2- 3 i, i(— 2 + 3i) = -2 i + 3 i 2 = -3 - 2 i, and -i(- 2 + 3i) = 2 i - 3 i 2 = 3 + 
2 i. ◄ 

Gaussian Primes 

Note that a rational integer is prime if and only if it is not divisible by an integer other than 
1, — 1, itself, or its negative. To define Gaussian primes, we want to ignore divisibility by 
units and associates. 
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Definition. A nonzero Gaussian integer n is a Gaussian prime if it is not a unit and is 
divisible only by units and its associates. 

It follows from the definition of a Gaussian prime that a Gaussian integer it is prime 
if and only if it has exactly eight divisors, the four units and its four associates, namely, 
1, —1, i, —i, 7 r, — 7r, in, and —in. (Units in the Gaussian integers have exactly four 
divisors, namely, the four units. Gaussian integers that are not prime and are not units 
have more than eight different divisors.) 

An integer that is prime in the set of integers is called a rational prime. Later we will 
see that some rational primes are Gaussian primes, but some are not. Prior to providing 
examples of Gaussian primes, we prove a useful result that we can use to help determine 
whether a Gaussian integer is prime. 

Theorem 14.5. If n is a Gaussian integer and N(n) = p, where p is a rational prime, 
then n and W are Gaussian primes, but p is not a Gaussian prime. 

Proof. Suppose that n = af3, where a and ft are Gaussian integers. Then N(n) = 
N{af) = N(a)N(f), so that p = N(a)N(f). Because N (a) and N(fi) are positive in- 
tegers, it follows that N (a) = 1 and N(f) = p or N(a) = p and N(f) = 1. We conclude 
by Theorem 14.3 that either a is a unit or is a unit. This means that n cannot be factored 
into two Gaussian integers neither of which is a unit, so it must be a Gaussian prime. 

Note that N(n) = n - Jr. Because N(n) = p, it follows that p = nit, which means 
that p is not a Gaussian prime. Note that because N(n) = p, Jr is also a Gaussian prime. 


We now give some examples of Gaussian primes. 

Example 14 . 5 . We can use Theorem 14.5 to show that 2 — i is a Gaussian prime 
because N (2 - i ) = 2 2 + l 2 = 5 and 5 is a rational prime. Also, note that 5 = (2 + i ) (2 - 
i ), so that 5 is not a Gaussian prime. Similarly, 2 + 3 i is a Gaussian prime because 
N (2 + 3i) = 2 2 + 3 2 = 13 and 13 is a rational prime. Moreover, 13 is not a Gaussian 
prime, because 13 = (2 + 3i) (2 - 3i) . ◄ 

The converse of Theorem 14.5 is not true. It is possible for a Gaussian prime to have 
a norm that is not a rational prime, as we will see in Example 14.6. 

Example 14 . 6 . The integer 3 is a Gaussian prime, as we will show, but N (3) = 
N(3 + Oi) = 3 2 + 0 2 = 9 is not a rational prime. To see that 3 is a Gaussian prime, 
suppose that 3 = (a + bi)(c + di ), where a + bi and c + di are not units. By taking 
norms of both sides of this equation, we find that 

N(3) = N«a + bi)-(c + di)). 


It follows that 


9 = N(a + ib)N(c + id), 
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using part (ii) of Theorem 14.1. Because neither a + ib nor c + id is a unit, N(a + 
ib) ^ 1 and N(c + id) ^ 1. Consequently, AT (a + ih) = N(c + id) = 3. This means that 
N (a + ib) = a 2 + b 2 = 3, which is impossible because 3 is not the sum of two squares. 
It follows that 3 is a Gaussian prime. ◄ 

We now determine whether the rational prime 2 is also a Gaussian prime. 

Example 14.7. To determine whether 2 is a Gaussian prime, we determine whether 
there are Gaussian integers a and neither a unit such that 2 = a fi, where a = a + ib 
and /J = c + id. If 2 = a/5, by taking norms, we see that 

IV (2) = N(a)N 08). 

Because N(2) = N (2 + 0 i) = 2 2 + 0 2 = 4, this means that 

N(a)N(P) = (a 2 + b 2 ){c 2 + d 2 ) = 4. 

Because neither a nor /J is a unit, we know that N(a) ^ 1 and iV(/3) / 1. It follows that 
a 2 + b 2 = 2 and c 2 + d 2 = 2 so that each of a, b, c, and d equals 1 or — 1. Consequently, 
a and /J must take on one of the values 1 + i, — 1 + i, 1 — i, or — 1 — i. On inspection, 
we find that when a = 1 + i and = 1 — i, we have a/} = 2. We conclude that 2 is not 
a Gaussian prime and 2 = (1 + i)(l — 0- 

However, 1 + i and 1 — i are both Gaussian primes, because 2V(1 + i) = N( l — i) = 
2 and 2 is prime, so that Theorem 14.5 applies. ◄ 

Looking at Examples 14.5, 14.6, and 14.7, we see that some rational primes are also 
Gaussian primes, such as 3, while other rational primes, such as 2 = (1 — i)(l + i ) and 
5 = (2 + i)(2 — i), are not Gaussian primes. In Section 14.3, we will determine which 
rational primes are also Gaussian primes and which are not. 


The Division Algorithm for Gaussian Integers 

In the first chapter of this book, we introduced the division algorithm for rational integers, 
which shows that when we divide an integer a by a positive integer divisor b, we obtain 
a nonnegalive remainder r less than b. Furthermore, the quotient and remainder we 
obtain are unique. We would like an analogous result for the Gaussian integers, but 
in the Gaussian integers it does not make sense to say that a remainder of a division is 
smaller than the divisor. We overcome this difficulty by developing a division algorithm 
where the remainder of a division has norm less than the norm of the divisor. However, 
unlike the situation for rational integers, the quotient and remainder we compute are not 
unique, as we will illustrate with a subsequent example. 

Theorem 14.6. The Division Algorithm for Gaussian Integers. Let a and ft be 
Gaussian integers with ^ 0. Then there exist Gaussian integers y and p such that 


a = Py + p 
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and 0 < N(p ) < N(ft). Here y is called the quotient and p is called the remainder of 
this division. 

Proof. Suppose that a I ft = x + iy. Then* + iy is a complex number that is a Gaussian 
integer if and only if ft divides a. Let s = [x + and t = [y + j] (these are the integers 
closest to x and y, respectively, rounded up if the fractional part of x or y equals 1/2; see 
Figure 14.2). 



With these choices for s and t, we find that 

x+iy = (s + /) + i(t + g), 

where / and g are real numbers with |/| < 1/2 and |g| < 1/2. Now let y = s + ti and 
p = a — fy. By Theorem 14.1, we know that N(p ) > 0. 

To show that N(p) < N(f), recalling that a/ ft =x + iy and using Theorem 14.1 
(ii), we see that 

N(p) = N(a - fy) = JV(((a//J) - y)fi) = N«x + iy) - y)P) 

= N ((* + iy) - y)N (ft). 

Because y = s + ti,x — s = f, and y — t = g, we find that 

N(p) = N((x + iy) - (s + ti))N(ft) = N(f + ig)N(ft). 

Finally, because |/| < 1/2 and |g| < 1/2, we conclude that 

N(p) = N(f + ig)N(fi) < ((1/2) 2 + (1/2) 2 )JV(^) < 
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This completes the proof. ■ 

Remark. In the proof of Theorem 14.6, when we divide a Gaussian integer a by a 
nonzero Gaussian integer fi, we construct a remainder p such that 0 < N(p) < N(J3)/2. 
That is, the norm of the remainder does not exceed 1/2 of the norm of the divisor. This 
will be a useful fact to remember. 

Example 14.8 illustrates how to find the quotient and remainder computed in the 
proof of Theorem 14.6. This example also illustrates that these values are not unique, in 
the sense that there are other possible values that satisfy the conclusions of the theorem 

Example 14.8. Let a = 13 + 20 i and fi = —3 + 50 We can follow the steps in the 
proof of Theorem 14.6 to find y and p such that a = fly + p and N(p) < N(J3), that is, 
with 13 + 20 i = (—3 + 5 i)y + p and 0 < N(p) < N(— 3 + 5 i) = 34. We first divide a 
by 0 to obtain 

13 + 20 i _ 61 _ 125. 

-3 + 5i _ 34 34 1 

Next, we find the integers closest to || and namely, 2 and —4, respectively. 
Consequently, we take y = 2 — 4i as the quotient. The corresponding remainder is p = 
a — /3y = (13 + 20 i) - (-3 + 5 i)y = (13 + 20 i) - (-3 + 50(2 -4i) = -l- 2 0 We 
verify that N(p) < N(fi)/2 < N(fi) by noting that N(—l — 2 i) = 5 < N(— 3 + 5i)/2 = 
34/2 = 17, as expected (see the previous Remark). 

Other choices for y and p besides those produced by the construction in the proof 
of Theorem 14.6 satisfy the consequences of the division algorithm. For example, we 
can take y = 2 — 3i and p = 4 + i , because 13 + 20 i = (—3 + 5i)(2 — 3i) + (4 + i) and 
N(4 + i ) = 17 < JV(— 3 + 5i)/2 = 34/2 = 17 < N(- 3 + 5i ). (See Exercise 19.) ◄ 


14.1 Exercises 

1. Simplify each of the following expressions, expressing your answer in the form of a Gaussian 
integer a + bi. 

a) (2 + 0 2 (3 + 0 b) (2 - 30 3 c) -i(-i + 3) 3 

2. Simplify each of the following expressions, expressing your answer in the form of a Gaussian 
integer a + bi. 

a) (—1 + 0 3 (1 + 0 3 b) (3 + 20(3 — 0 2 c)(2 + 0 2 (5-0 3 

3. Determine whether the Gaussian integer a divides the Gaussian integer fi if 

a) a = 2 — i, = 5 + 5i. c) a = 5, fi = 2 + 3 i. 

b) a = l — i,)8 = 8. d) a = 3 + 20 )8 = 26. 

4. Determine whether the Gaussian integer a divides the Gaussian integer fi, where 

a) a = 3, fi = 4 + 70 c) a = 5 + 3 i, fi = 30 + 60 

b) a = 2 + 0 0 = 15. d)a= 11 + 40 0 = 274. 
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5. Give a formula for all Gaussian integers divisible by 4 + 3 /, and display the set of all such 
Gaussian integers in the plane. 

6. Give a formula for all Gaussian integers divisible by 4 — /, and display the set of all such 
Gaussian integers in the plane. 

7. Show that if a, fi, and y are Gaussian integers and a | 0 and Ply, then a \ y. 

8. Show that if a, 0, y , /i, and v are Gaussian integers and y \ a and y | 0, then y | (/ta + v0). 

9. Show that if e is a unit for the Gaussian integers, then e 5 = e. 

10. Find all Gaussian integers a = a + bi such that a = a — bi, the conjugate of a, is an associate 
of a. 

11. Show that the Gaussian integers a and 0 are associates if a | 0 and 0 | a. 

12. Show that if a and 0 are Gaussian integers and a \ fi, then N (a) \ /V(0). 

13. Suppose that N(a ) | N(P), where a and 0 are Gaussian integers. Does it necessarily follow 
that a | 0? Supply either a proof or a counterexample. 

14. Show that if a divides fi, where a and fi are Gaussian integers, then a divides fi. 

15. Show that if a = a + bi is a nonzero Gaussian integer, then a has exactly one associate c + di 
(including a itself), where c > 0 and d > 0. 

16. For each pair of values for a and ft, find the quotient y and the remainder p when a is 
divided by fi computed following the construction in the proof of Theorem 14.6, and verify 
that N(p) < AT 08). 

a) a = 14 + 17/, fi = 2 + 3i b) a = 7 - 19/, p = 3 - 4i c) a = 33, 0=5 + i 

17. For each pair of values for a and 0, find the quotient y and the remainder p when a is 
divided by 0 computed following the construction in the proof of Theorem 14.6, and verily 
that N(p) < N(P). 

a) a = 24 — 9i, fi = 3 4- 3 i b) a = 18 4- 15/, 0 = 3 + 4 i c) a = 87/, 0 = 11 — 2/ 

18. For each pair of values fo r a and 0 i n Exercise 16, fi nd a pair of Gaussian integers y and p such 
that a = fiy + p and 7V(p) < N(fi) different from that computed following the construction 
in Theorem 14.6. 

19. For each pair of values for a and 0 in Exercise 17, find a pair of Gaussian integers y and p such 
that a = fiy + p and 7V(p) < N(fi) different from that computed following the construction 
in Theorem 14.6. 

20. Show that for every pair of Gaussian integers a and 0 with 0/0 and 0 / a, there are at least 
two different pairs of Gaussian integers y and p such that a = fiy + p and N(p) < N(fi). 

* 21. Determine all possible values for the number of pairs of Gaussian integers y and p such 
that a = fiy + p and N (p) < N (0) when a and 0 are Gaussian integers and 0/0. (Hint: 
Analyze this geometrically by looking at the position of a/fi in the square containing it and 
with four lattice points as its comers.) 

22. Show that if a number of the form r + si, where r and s are rational numbers, is an algebraic 
integer, then r and s are integers. 

23. Show that 1 + / divides a Gaussian integer a + ib if and only if a and b are both even or both 
odd. 

24. Show that if 7t is a Gaussian prime, then N(tz) = 2 or N(it) = 1 (mod 4). 

25. Find all Gaussian primes of the form a 2 + 1, where a is a Gaussian integer. 
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26. Show that if a + bi is a Gaussian prime, then b + ai is also a Gaussian prime. 

27. Show that the rational prime 7 is also a Gaussian prime by adapting the argument given in 
Example 14.6 that shows 3 is a Gaussian prime. 

28. Show that every rational prime p of the form 4k + 3 is also a Gaussian prime. 

29. Suppose that a is a nonzero Gaussian integer that is neither a unit nor a prime. Show that a 
Gaussian integer exists such that \ a and 1 < N(fi) < *jN(a). 

30. Explain how to adapt the sieve of Eratosthenes to find all the Gaussian primes with norm less 
than a specified limit. 

31. Find all the Gaussian primes with norm less than 100. 

32. Display all the Gaussian primes with norm less than 200 as lattice points in the plane. 

We can define the notion of congruence for Gaussian integers. Suppose that a, and y are 
Gaussian integers and that y / 0. We say that a is congruent to ji modulo y and we write 
a = (1 (mod y) if y \ (a - ft). 

33. Suppose that p is a nonzero Gaussian integer. Show that each of the following properties 
holds. 

a) If a is a Gaussian integer, then a = a (mod p). 

b) If a = ft (mod p), then fi =a (mod p). 

c) If a = P (mod p) and /J = y (mod p), then a = y (mod p). 

34. Suppose that a = fi (mod p) and y = 8 (mod p), where a, /J, y, 8, and p are Gaussian 
integers and p # 0. Show that each of these properties holds. 

a ) a + y = P + 8 (mod p) b )a — y = ^ — S (mod p) c) ay = @8 (mod p) 

35. Show that two Gaussian integers a = a x + ib l and (1 = a 2 + ib 2 can multiplied using only 
three multiplications of rational integers, rather than the four in the equation shown in the 
text, together with five additions and subtractions. (Hint: One way to do this uses the product 
(a.\ + bi)(a 2 + b 2 ). A second way uses the product b 2 (a^ + b{).) 

36. When a and b are real numbers, let { a + bi} = {a} + {b}i, where {*} is the closest integer to 
the real number x, rounding up in the case of a tie. Show that if z is a complex number, then 
no Gaussian integer is closer to z than {z} and N(z — {z}) < 1/2. 

Let k be a nonnegative integer. The Gaussian Fibonacci number G k is defined in terms of the 
Fibonacci numbers with G k = f k + if k + 1 - Exercises 37-39 involve Gaussian Fibonacci numbers. 

37. a) List the terms of the Gaussian Fibonacci sequence for k = 0, 1, 2, 3, 4, 5. (Recall that 

/o = 0.) 

b) Show that G k = G k _ j + G k _ 2 for k = 2, 3, ... . 

38. Show that N(G k ) = f^+i for all nonnegative integers k. 

39. Show that G n+2 G n+l - G n+3 G n = (-1)"(2 + i ), whenever n is a positive integer. 

40. Show that every Gaussian integer can be written in the form a n (- 1 + 0 " + a„_ i(— 1 + 
i) n ~ l H — ■ + ai(— 1 + 0 + a 0 , where = 0 or 1 for j = 0, 1, . . . , n — 1, n. 

41. Show that if a is a number of the form r + si, where r and s are rational numbers and a is a 
root of a monic quadratic polynomial with integer coefficients, then a is a Gaussian integer. 
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42. What can you conclude if it = a + bi is a Gaussian prime and one of the Gaussian integers 
(a + 1) + bi, (a — 1) + bi, a + (b + l)i, and a + (b — l)i is also a Gaussian prime? 

43. Show that if 7^ = a - 1 + bi,jr 2 = a + 1 + bi,n 3 = a + (b — l)i, and n 4 = a + (b + l)i are 
all Gaussian primes and |a| + \b\ > 5, then 5 divides both a and b and neither a nor b is zero. 

44. Describe the block of Gaussian integers containing no Gaussian primes that can be con- 
structed by first forming the product of all Gaussian integers a + bi with a and b rational 
integers, 0 < a < m, and 0 <b <n. 

45. Find all Gaussian integers a, /J, and y such that afiy — a + ^ + y — l. 

46. Show that if it is a Gaussian prime with N(n) ^2, then exactly one of the associates of it is 
congruent to either 1 or 3 + 2 i modulo 4. 

Computations and Explorations 

1. Find all pairs of Gaussian integers y and p such that 180 - 181/ = (12 + 13 i)y + p and 
N(p) < N(12 + 13/). 

2. Use a version of the sieve of Eratosthenes to find all Gaussian primes with norm less than 
1000. 

3. Find as many different pairs of Gaussian primes that differ by 2 as you can. 

4. Find as many triples of Gaussian primes that form an arithmetic progression with a common 
difference of 2 as you can. 

5. Find as many Gaussian primes as you can of the form 1 + bi where b is an integer. (It is 
unknown whether there are infinitely many such primes.) 

6. Find as many Gaussian primes of the form a 2 + a + (9 + 4/) as you can. 

7. Estimate the probability that two randomly chosen Gaussian integers are relatively prime by 
testing whether a large number of randomly chosen pairs of Gaussian integers are relatively 
prime. 

* * 8. Search for Gaussian moats, which are regions of width k, where Us a positive real number, in 

the complex plane surrounding the origin thatcontain no Gaussian primes. (See [GeW aWi98] 
for more information about Gaussian moats.) 

Programming Projects 

1. Given two Gaussian integers a and /?, find all pairs of Gaussian integers y and p such that 
a = yp + p. 

2. Implement a version of the sieve of Eratosthenes to find all Gaussian primes with norm less 
than a specified integer. 

3. Given a positive real number k and a positive integer n, find all Gaussian primes with norm 
less than n that can be reached, starting with a Gaussian prime with norm not exceeding 5 
moving from one Gaussian prime to the next in steps not exceeding k. 

4. Display a graph of the Gaussian primes that can be reached as described in the preceding 
progr ammi ng project. 
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14.2 Greatest Common Divisors and Unique Factorization 

In Chapter 3, we showed that every pair of rational integers not both zero has a greatest 
common divisor. Using properties of the greatest common divisor, we showed that if 
a prime divides the product of two integers, it must divide one of these integers. We 
used this fact to show that every integer can be uniquely written as the product of the 
powers of primes when these primes are written in increasing order. In this section, we 
will establish analogous results for the Gaussian integers. We first develop the concept 
of greatest common divisors for Gaussian integers. We will show that every pair of 
Gaussian integers, not both zero, has a greatest common divisor. Then we will show 
that if a Gaussian prime divides the product of two Gaussian integers, it must divide one 
of these integers. We will use this result to develop a unique factorization theorem for 
the Gaussian integers. 

Greatest Common Divisors 

We cannot adapt the original definition we gave for greatest common divisors of integers, 
because it does not make sense to say that one Gaussian integer is larger than another 
one. However, we will be able to define the notion of a greatest common divisor for a pair 
of Gaussian integers by adapting the characterization of the greatest common divisor of 
two rational integers that does not use the ordering of the integers given in Theorem 3.10. 

Definition. Let a and be Gaussian integers. A greatest common divisor of a and f 
is a Gaussian integer y with these two properties: 

(i) y | a and y \ fi; 
and 

(ii) if 5 | a and 5 | /?, then 5 | y. 

If y is a greatest common divisor of the Gaussian integers a and then it is 
straightforward to show that all associates of y are also greatest common divisors of 
a and f$ (see Exercise 5). Consequently, if y is a greatest common divisor of a and f, 
then —y,iy, and —iy are also greatest common divisors of a and f . The converse is also 
true, that is, any two greatest common divisors of two Gaussian integers are associates, 
as we will prove later in this section. First, we will show that a greatest common divisor 
exists for every two Gaussian integers. 

Theorem 14.7. If a and fi are Gaussian integers, not both zero, then 

(i) there exists a greatest common divisor y of a and J3; 
and 

(ii) if y is a greatest common divisor of a and then there exist Gaussian integers 
/x and v (called Bezout coefficients of a and f) such that y = /xa + v/3. 

Proof. Let S be the set of norms of nonzero Gaussian integers of the form 
/xa + vf, 
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where /z and v are Gaussian integers. Because /xa + vfi is a Gaussian integer when 
ix and v are Gaussian integers and the norm of a nonzero Gaussian integer is a positive 
integer, every element of S is a positive integer. S is nonempty, which can be seen because 
iV(l • a + 0 • p) = N(a) and N(0 • a + 1 • P) = N(P) both belong to S and cannot be 
both 0. 

Because S is a nonempty set of positive integers, by the well-ordering property, it 
contains a least element. Consequently, a Gaussian integer y exists with 

Y = + v o^> 

where /x 0 and v 0 are Gaussian integers and N(y) < N(/xa + vf) for all Gaussian integers 
ix and v. 

We will show that y is a greatest common divisor of a and p. First, suppose that 
5 | a and 8 \ p. Then there exist Gaussian integers p and a such that a = 8p and P = 8a. 
It follows that 


y =ix 0 a + v 0 P = fx 0 8p + v 0 8a = 8(ix 0 p + v 0 a). 


We see that 8 \ y. 

To show that y \ a and y |y3, we will show that y divides every Gaussian integer of 
the form ixa + vfi. So, suppose that r = fx^a + for Gaussian integers ix x and v x . By 
Theorem 14.6, the division algorithm for Gaussian integers, we see that 

r = yri + S, 

where t] and £ are Gaussian integers with 0 < N(X) < N(y). Furthermore, £ is a 
Gaussian integer of the form /xa + v/3. To see this, note that 

£ = r - yrj = (ix x a + v x p) - ( ix 0 a + v 0 P)ri = - ix 0 r])a + (v x - v 0 rj)p. 

Recall that y was chosen as an element with smallest possible norm among the nonzero 
Gaussian integers of the form /xa + vp. Consequently, because £ has this form and 
0 < N(£) < N(y), we know that iV(£) = 0. By Theorem 14.1, we see that £ = 0. 
Consequently, r = yrj. We conclude that every Gaussian integer of the form ixa + vp is 
divisible by y. ■ 

We now show that any two greatest common divisors of two Gaussian integers must 
be associates. 

Theorem 14.8. If both y x and y 2 are greatest common divisors of the Gaussian integers 
a and P, not both zero, then y x and y 2 are associates of each other. 

Proof. Suppose that y x and y 2 are both greatest common divisors of a and p. By part 
(ii) of the definition of greatest common divisor, it follows that y x \ y 2 and y 2 \ y x . This 
means there are Gaussian integers e and 6 such that y 2 = ey x and y x = 0y 2 . Combining 
these two equations, we see that 


Yi = 0£Yi- 
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Divide both sides by y\ (which does not equal 0 because 0 is not a common divisor of 
two Gaussian integers if they are not both zero) to see that 


We conclude that 6 and e are both units. Because y x = 0y 2 , we see that y 1 and y 2 are 
associates. ■ 


The demonstration that the converse of Theorem 14.8 is also true is left as Exercise 5 
at the end of this section. 

Definition. The Gaussian integers a and are relatively prime if 1 is a greatest common 
divisor of a and fi. 

Note that 1 is a greatest common divisor of a and /J if and only if the associates of 1, 
namely, — 1, i, and — /, are also greatest common divisors of a and /J. For example, if we 
know that i is a greatest common divisor of a and then these two Gaussian integers 
are relatively prime. 

We can adapt the Euclidean algorithm (Theorem 3.11) to find a greatest common 
divisor of two Gaussian integers. 

Theorem 14.9. A Euclidean Algorithm for Gaussian Integers. Let Po = a and 
Pi = fi be nonzero Gaussian integers. If the division algorithm for Gaussian integers 
is successively applied to obtain pj = pj + iyj +i + ry +2 , with N(pj +2 ) < N(pj + i) for 
j = 0, 1, 2, . . . , n — 2 and p n+ i = 0, then p n , the last nonzero remainder, is a greatest 
common divisor of a and fi. 

We leave the proof of Theorem 14.9 to the reader; it is a straightforward adaption 
of the proof of Theorem 3.1 1 . Note that we can also work backward through the steps 
of the Euclidean algorithm for Gaussian integers to express the greatest common divisor 
found by the algorithm as a linear combination of the two Gaussian integers provided as 
input to the algorithm. We illustrate this in the following example. 

Example 14.9. Suppose that a = 97 + 210i and fi = 123 + 16/'. The version of the 
Euclidean algorithm based on the version of the division algorithm in the proof of 
Theorem 4.6 can be used to find the greatest common divisors of a and yS with the 
following steps: 

97 + 210/ = (123 + 16i)(l + 2 i) + (6 - 52 i) 

123 + 16/ = (6 - 520(20 + 09 + 4/) 

6 - 52/ = (19 + 4/)( — 3/) + (-6 + 5/) 

19 + 4/ = (-6 + 5/)(— 2 - 2 /) + (-3 + 2/) 

-6 + 5/ = (-3 + 2/)2 + / 

-3 + 2/ = / ( 2 + 3 /) + 0. 

We conclude that / is a greatest common divisor of 97 + 210/ and 123 + 16/. 
Consequently, all greatest common divisors of these two Gaussian integers are the 
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associates of /, namely, 1, — 1, /, and — /. It follows that 97 + 210/ and 123 + 6/ are 
relatively prime. 

Because 97 + 210/ and 123 + 16/ are relatively prime, we can express 1 as a linear 
combination of these Gaussian integers. We can find Gaussian integers p and v such that 
1 = pa + vfi by working backward through these steps and then multiplying both sides 
by — / to obtain 1. These computations, which we leave to the reader, show that 

(97 + 210/) (-24 + 21/) + (123 + 16/) (57 + 17/) = 1. < 

Unique Factorization for Gaussian Integers 

The fundamental theorem of arithmetic states that every rational integer has a unique 
factorization into primes. Its proof depends on the fact that if the rational prime p divides 
the product of two rational integers ab, then p divides either a or b. We now prove an 
analogous fact about the Gaussian integers that will play the crucial role in proving 
unique factorization for the Gaussian integers. 

Lemma 14.1. If jt is a Gaussian prime and a and fi are Gaussian integers such that 
7 r | afi, then n \ a or jr | fi. 

Proof. Suppose that jt does not divide a. We will show that jt must then divide fi. 
Because 7T / a, we also know that cjt / a when e is a unit. Because the only divisors 
of jt are 1, —1, /, — i, jt, —jt, in, and —in, it follows that a greatest common divisor of 
n and a must be a unit. This means that 1 is a greatest common divisor of n and a. By 
Theorem 14.7, we know that there exist Gaussian integers p and v such that 

1 = pn + va. 

Multiplying both sides of this equation by fi, we see that 
fi = n(pfi) + v(afi). 

By the hypotheses of the theorem, we know that n \ afi so that n \ v(afi). Because 
fi = n(pfi) + v(afi), it follows (using Exercise 8 of Section 14.1) that n \ fi. ■ 

Lemma 14.1 is a key ingredient in proving that the Gaussian integers enjoy the 
unique factorization property. Other sets of algebraic integers, such as Z[%/— 5], the 
set of quadratic integers of the form a + by/^5, do not enjoy a property analogous to 
Lemma 14.1 and do not enjoy unique factorization. 

We can extend Lemma 14.1 to products with more than two terms. 

Lemma 14.2. If 7r is a Gaussian prime and aq, a 2 , • • • , oc m are Gaussian integers such 
that n | q; 1 q '2 • • • a m , then there is an integer j such that n \ a j, where 1 < j <m. 

Proof. We can prove this result using mathematical induction. When m = 1, the result 
is trivial. Now suppose that the result is true for m=k, where k is a positive integer. That 
is, suppose that if 


n | a 1 of 2 • • • <x k , 
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where a t is a Gaussian integer for i = 1,2, k, then Jt \ a t for some integer i with 
1 <i <k. Now suppose that 


JT | OL\CL 2 • • • (*k a k+b 

where a h i = 1, 2, . . . , k + 1 are Gaussian integers. Then Jt \ a x (a 2 ■ ■ ■ a k a k+x ), so 
that by Lemma 14.1, we know that jr | aq or jr | a 2 • ■ ■ a k a k+x . If jt | a 2 • • • &k a k+b 
we can use the induction hypothesis to conclude that jt \ a.j for some integer j with 
2 < j < k + 1. It follows that jt \ aj for some integer j with 1 < j < k + 1, completing 
the proof. ■ 

We can now state and prove the unique factorization theorem for Gaussian integers. 
Not surprising, Carl Friedrich Gauss was the first to prove this theorem. 

Theorem 14.10. The Unique Factorization Theorem for Gaussian Integers. Sup- 
pose that y is a nonzero Gaussian integer that is not a unit. Then 

(i) y can be written as the product of Gaussian primes; and 

(ii) this factorization is unique in the sense that if 

y = jt x jt 2 ■ • • = P 1 P 2 ■ • ■ Pt> 

where jt\, jt 2 , . . . , jt s , p h p 2 , . . . , p t are all Gaussian primes, then s = t, 
and after renumbering the terms, if necessary, jt f and p { are associates for 
i = 1, 2, . . . , j. 

Proof. We will prove part (i) using the second principle of mathematical induction 
where the variable is N(y), the norm of y. First note that because y ^0 and y is not a 
unit, by Theorem 14.3, we know that N(y) ^ 1. It follows that N(y) > 2. 

When N(y) = 2, by Theorem 14.5, we know that y is a Gaussian prime. Conse- 
quently, in this case, y is the product of exactly one Gaussian prime, itself. 

Now assume that N(y) >2. We assume that every Gaussian integer 8 with N(8) < 
N (y ) can be written as the product of Gaussian primes; this is the induction hypothesis. 
If y is a Gaussian prime, it can be written as the product of exactly one Gaussian prime, 
itself. Otherwise, y = t]6, where r) and 9 are Gaussian integers that are not units. Because 
r] and 9 are not units, by Theorems 14.1 and 14.3, we know that N(rj) > 1 and N (9) > 1. 
Furthermore, because N(y) = N(r])N(9), we know that 2 < N(r)) < N(y) and 2 < 
N(9) < N(y). Using the induction hypothesis, we know that both rj and 9 are products 
of Gaussian primes. That is, rj = jt\jt 2 • • -jt s , where Jt h n 2 , ... ,n k are Gaussian primes 
and 9 = p\p 2 ■ ■ ■ p t , where p h p 2 , . . . , p t are Gaussian primes. Consequently, 

y=9r) = jt x jt 2 • • • it s p x p 2 ■ ■ ■ p t 

is the product of Gaussian primes. This finishes the proof that every Gaussian integer 
can be written as the product of Gaussian primes. 

We will also use the second principle of mathematical induction to prove part (ii) of 
the theorem, the uniqueness of the factorization in the sense described in the statement of 
the theorem. Suppose that y is a nonzero Gaussian integer that is not a unit. By Theorem 
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14.3, we know that N(y) > 2. To begin the proof by mathematical induction, note that 
when N(y) = 2, y is a Gaussian prime, so y can only be written in one way as the 
product of Gaussian primes, namely, the product with one term, y . 

Now assume that part (ii) of the statement of the theorem is true when 5 is a Gaussian 
integer with N(8 ) < N(y). Assume that y can be written as the product of Gaussian 
primes in two ways, that is, 


y = tz X 7T 2 - ■ ■ it s = p x p 2 • ■ ■ p t , 

where 7T], 7 r 2 , . . . , tt s , p h p 2 , . . . , p t are all Gaussian primes. Note that s > 1; otherwise, 
y is a Gaussian prime that already can be written uniquely as the product of Gaussian 
primes. 

Because 1 7r 1 7r 2 • • • n s andn yit 2 ■ ■ ■ n s = pip 2 • • • p t , we seethatTTj | p x p 2 ■ ■ ■ p t . 
By Lemma 14.2, we know that tt 1 | p k for some integer k with 1 < k < t. We can reorder 
the primes Pi, p 2 , , p k , if necessary, so that i r x | p^. Because pi is a Gaussian prime, 
it is only divisible by units and associates, so that i r x and must be associates. It follows 
that pi = en where € is a unit. This implies that 

7ti7t 2 ■ ■ ■ 7t s = PiP 2 ■ • • p t = €7tiP 2 ■ ■ ■ p t . 

We now divide both sides of this last equation by Jti to obtain 


7r 2 7t 3 • • - Tt s — (ep 2 )P3 • • • Pt- 


Because ttj is a Gaussian prime, we know that > 2. Consequently, 

1 < N(7t 2 7T 3 N(7tiJt 2 ••■7t s ) = N(y). 

By the induction hypothesis and the fact that 7t 2 7t 3 ■ ■ ■ n s = (ep 2 )p 3 ■ ■ ■ p t , we can 
conclude that s — 1 = t — 1, and that after reordering of terms, if necessary, p t is an 
associate of i for i = 1, 2, . . . , s — 1. This completes the proof of part (ii). ■ 

Factoring a Gaussian integer into a product of Gaussian primes can be done by 
computing its norm. For each prime in the factorization of this norm as a rational integer, 
we look for possible Gaussian prime divisors of the Gaussian integer with this norm. We 
can perform trial division by each possible Gaussian prime divisor to see whether it 
divides the Gaussian integer. 

Example 14.10. To find the factorization of 20 into Gaussian integers, we note that 
N (20) = 20 2 = 400. It follows that the possible Gaussian prime divisors of 20 have 
norm 2 or 5. We find that we can divide 20 by 1 + i four times, leaving a quotient of —5. 
Because 5 = (1 + 2i)(l — 2i), we see that 


◄ 


20=-(l + i) 4 (l + 2i)(l-2i). 
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.2 Exercises 

1. Use the definition of the greatest common divisor of two Gaussian integers to show that if n x 
and n 2 are Gaussian primes that are not associates, then 1 is a greatest common divisor of ir l 
and7T 2 . 

2. Use the definition of the greatest common divisor of two Gaussian integers to show that if e 
is a unit and a is a Gaussian integer, then 1 is a greatest common divisor of a and e. 

3. Show that if y is a greatest common divisor of the Gaussian integers a and fi, then y is a 
greatest common divisor of a and fi. 

4. a) By extending the definition of a greatest common divisor of two Gaussian integers, define 

the greatest common divisor of a set of more than two Gaussian integers, 
b) Show from your definition that a greatest common divisor of three Gaussian integers a, fi, 
and y is a greatest common divisor of y and a greatest common divisor of a and fi. 

5. Show that if a and fi are Gaussian integers and y is a greatest common divisor of a and fi, 
then all associates of y are also greatest common divisors of a and fi. 

6. Show that if a and fi are Gaussian integers and N (a) and N(fi) are relatively prime rational 
integers, then a and fi are relatively prime Gaussian integers. 

7. Show that the converse of the statement in Exercise 6 is not necessarily true, that is, find 
Gaussian integers a and fi such that a and fi are relatively prime Gaussian integers, but N (a) 
and N(fi) are not relatively prime positive integers. 

8. Show that if a and fi are Gaussian integers and y is a greatest common divisor of a and fi, 
then N(y) divides ( N(a ), N(fi)). 

9. Show if a and b are relatively prime rational integers, then they are also relatively prime 
Gaussian integers. 

10. Show that if a, fi, and y are Gaussian integers and n is a positive integer such that afi = y n 
and a and fi are relatively prime, then a = e8 n , where e is a unit and S is a Gaussian integer. 

11. a) Show all steps of the version of the Euclidean algorithm for the Gaussian integers de- 

scribed in the text to find a greatest common divisor of a = 44 + 18/ and fi = 12— 16 i. 
b) Use the steps in part (a) to find Gaussian integers /x and v such that /x (44 + 18/) + v(12 - 
16/) equals the greatest common divisor found in part (a). 

12. a) Show all steps of the version of the Euclidean algorithm for the Gaussian integers de- 

scribed in the text to show that 2 — lli and 7 + 8i are relatively prime, 
b) Use the steps in part (a) to find Gaussian integers /x and v such that /x( 2 — lli) + v(7 + 
8i) = 1. 


13. Show that two consecutive Gaussian Fibonacci numbers G k and G k+l (defined in the pream- 
ble to Exercise 37 of Section 14. 1), where k is a positive integer, are relatively prime Gaussian 
integers. 

14. How many divisions are used to find a greatest common divisor of two consecutive Gaussian 
Fibonacci numbers G k and G k+] (defined in Exercise 37 of Section 14. 1), where k is a positive 
integer? Justify your answer. 

15. Derive a big-0 estimate for the number of bit operations required to find a greatest common 
divisor of two nonzero Gaussian integers a and fi, where N(a) <N (y8). (Hint: Use the remark 
following the proof of Theorem 14.6.) 
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16. For each of these Gaussian integers, find its factorization into Gaussian primes and a unit 
where each Gaussian prime has a positive real part and a nonnegative imaginary part. 

a) 9 + i b) 4 c)22 + 7i d) 210 + 2100; 

17. For each of these Gaussian integers, find its factorization into Gaussian primes and a unit 
where each Gaussian prime has a positive real part and a nonnegative imaginary part. 

a) 7 + 6i b) 3 — 13i c)28 d)400i 

18. Find the factorization into Gaussian primes of each of the Gaussian integers k + (7 - k)i for 
k = 1, 2, 3, 4, 5, 6, 7, where each Gaussian prime has a positive real part and a nonnegative 
imaginary part. 

19. Determine the number of different Gaussian integers, counting associates separately, that 
divide 

a) 10 b) 256 + 128i c) 27,000 d) 5040 + 40,320; 

20. Determine the number of different Gaussian integers, counting associates separately, that 
divide 

a) 198. b) 128 + 256;. c) 169,000. d) 4004 + 8008; . 

21. Suppose that a + ib is a Gaussian integer and n is a rational integer. Show that n and a + ib 
are relatively prime if and only if n and b + ai are relatively prime. 

22. Use the unique factorization theorem for Gaussian integers (Theorem 14.10) and Exercise 

13 of Section 14.1 to show that every nonzero Gaussian integer can be written uniquely, 
except for the order of terms, as ■ ■ ■ ix e k k , where e is a unit and for j = 1, 2, . . . , k, 

7 Tj = dj + ibj is a Gaussian prime with aj > 0 and bj > 0, and ej is a positive integer. 

23. Adapt Euclid’s proof that there are infinitely many primes (Theorem 3.1) to show that there 
are infinitely many Gaussian primes. 

Exercises 24-41 rely on the notion of a congruence for Gaussian integers defined in the preamble 
to Exercise 33 in Section 14.1. 

24. a) Define what it means for /3 to be an inverse of the a modulo fi, where a, P, and //, are 

Gaussian integers. 

b) Show that if a and n are relatively prime Gaussian integers, then there exists a Gaussian 
integer ft that is an inverse of a modulo /z. 

25. Find an inverse of 1 + 2 i modulo 2 + 3; . 

26. Find an inverse of 4 modulo 5 + 2i . 

27. Explain how a linear congruence of the form ax = y3(mod /x) can be solved, where a, p, and 
H are Gaussian integers and a and n are relatively prime. 

28. Solve each of these linear congruences in Gaussian integers. 

a) (2 + i)x — 3 (mod 4 — i) b) 4x = — 3 + 4 i (mod 5 + 2 i) c) 2x = 5 (mod 3 — 2 i) 

29. Solve each of these linear congruences in Gaussian integers. 

a) 3x = 2 + ; (mod 13) b) 5x = 3 - 2i (mod 4 + ;) c) (3+ i)x = 4 (mod 2 + 3i) 

30. Solve each of these linear congruences in Gaussian integers. 

a) 5x = 2 - 3i (mod 11) b) 4x = 7 + i (mod 3 + 2 i) c) (2 + 5 i)x = 3 (mod 4 - 7i) 

31. Develop and prove a version of the Chinese remainder theorem for systems of congruences 
for Gaussian integers. 
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32. Find the simultaneous solutions in Gaussian integers of the system of congruences 

x = 2 (mod 2 + 3i) 
x = 3 (mod 1 + 4i)- 

33. Find the simultaneous solutions in Gaussian integers of the system of congruences 

x = l + 3i (mod 2 + 5 i) 
x = 2 — i (mod 3 — 4 i). 

34. Find a Gaussian integer congruent to 1 modulo 11, to 2 modulo 4 + 3 i, and to 3 modulo 

1 + 7i. 

A complete residue system modulo y, where y is a Gaussian integer, is a set of Gaussian integers 

such that every Gaussian integer is congruent modulo y to exactly one element of this set. 

35. Find a complete residue system modulo 

a) 1 — i . b) 2. c) 2 + 3i . 

36. Find a complete residue system modulo 

a) 1 + 2i. b) 3. c)4-i. 

37. Prove that a complete residue system of a, where a is a Gaussian integer, has N (a) elements. 

A reduced residue system modulo y, where y is a Gaussian integer, is a set of Gaussian integers 

such that every Gaussian integer that is relatively prime to y is congruent to exactly one element 

of this set. 

38. Find a reduced residue system modulo 

a) — 1 + 3i. b) 2. c)5-i. 

39. Find a reduced residue system modulo 

a) 2 + 2 i. b) 4. c)4 + 2i. 

40. Suppose that it is a Gaussian prime. Determine the number of elements in a reduced residue 

system modulo n. 

41. Suppose that it is a Gaussian prime. Determine the number of elements in a reduced residue 

system modulo n e , where e is a positive integer. 

42. a) Show that the algebraic integers of the form r + 3, where r and s are rational 

numbers, are the numbers of the form a + bco, where a and b are integers and where 
co — (— 1 + -y/— 3)/2. Numbers of this form are called Eisenstein integers after Max 
Eisenstein, who studied them in the mid-nineteenth century. (They are also sometimes 
called Eisenstein- Jacobi integers because they were also studied by Carl Jacobi.) The set 
of Eisenstein integers is denoted by Z\co\. 

b) Show that the sum, difference, and product of two Eisenstein integers is also an Eisenstein 
integer. 

c) Show that if a is an Eisenstein integer, then a, the complex conjugate of a, is also an 
Eisenstein integer. (Hint: First show that co = co 2 .) 

d) If a is an Eisenstein integer, we define the norm of this integer by N(a) — a 2 — ab + b 2 if 
a — a + bco, where a and b are integers. Show that N (a) = aa whenever a is an Eisenstein 
integer. 
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e) If a and ft are Eisenstein integers, we say that a divides yS if there exists an element y 
in Z[co\ such that fl = ay. Determine whether 1+2 (o divides 1 + 5co and whether 3 + co 
divides 9 + 8&>. 

f ) An Eisenstein integer e is a unit if e divides 1. Find all the Eisenstein integers that are 
units. 

g) An Eisenstein prime n in Z[co\ is an element divisible only by a unit or an associate of n. 
(An associate of an Eisenstein integer is the product of that integer and a unit.) Determine 
whether each of the following elements are Eisenstein primes: 1 + 2 a>, 3 — 2 a>, 5 + 4a>, 
and —7 — 2w. 

* h) Show that if a and J3 ^ 0 belong to Z[eo\, there are numbers y and p such that a — fiy + p 
and N{p) < N(fi). That is, establish a version of the division algorithm for the Eisenstein 
integers. 

i) Using part (h), show that Eisenstein integers can be uniquely written as the product of 
Eisenstein primes, with the appropriate considerations about associated primes taken into 
account. 

j) Find the factorization into Eisenstein primes of each of the following Eisenstein integers: 
6, 5 + 9 ( 0 , 1 14, 37 + 14 ( 0 . 

43. a) Show that the algebraic integers of the form r + s 5, where r and s are rational numbers, 

are the numbers of the form a + h>/-5, where a and b are rational integers. (Recall that 
we briefly studied such numbers in Chapter 3. In this exercise, we look at these numbers 
in more detail.) 

b) Show that the sum, difference, and product of numbers of the form a + ^V-5, where a 
and b are rational integers, is again of this form. 

c) We denote the set of numbers a + b^/^-5 by Z[V— 5]. Suppose that a and /3 belong to 
Z[V=5]. We say that a divides fi if there exists a number y in Z[V— 5] such that f3 =ay. 
Determine whether -9+1 lV^5 is divisible by 2 + 3V-5 and whether 8 + 13+^5 is 
divisible by 1 + 4\/— 5. 

d) We define the norm of a number a — a + 5 to be N (a) — a 2 + 5b 2 . Show that 

N {a fi) — N{a)N{fi) whenever a and fi belong to Z[V- 5]. 

e) We say e is a unit of Z[^/-5] if e divides 1. Show that the units in Z[V^5] are 1 and — 1. 

f ) We say that an element a in Z[V^5] is prime if its only divisors in Z[V^ 5] are 1, — 1, 
of, and —a. Show that 2, 3, 1 + V— 5, and 1 — V— 5 are all primes, and that 2 does not 
divide either 1 + V^5 or 1 - V^5. Conclude that 6 = 2 • 3 = (1 + V^5)(l - V-5) can 
be written as the product of primes in two different ways. This means that Z[V— 5] does 
not have unique factorization into primes. 

g) Show that there do not exist elements y and p in Z[V— 5] such that 7 — 2V— 5 = 
(1 + V— 5 )y + P, where N{p) < N(1 + V— 5) = 6. Conclude that there is no analog for 
the division algorithm in Z[V^5]. 

h) Show that if a = 3 and /} = 1 + V^5, there do not exist numbers p and v in Z[V^5] 
such that ap + fiv — 1, even though a and fi are both primes, neither of which divides 
the other. 

Computations and Explorations 

1. Find the unique factorization into a unit and a product of Gaussian primes, where each 

Gaussian prime has a positive real part and a nonnegative imaginary part, of (2007 - k) + 

(2008 — k)i for all positive integers k with k < 8. 
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2. Find a prime factor of smallest norm of each of the Gaussian integers formed by adding 1 to 
the product of all Gaussian primes with norm less than n for as many n as possible. Do you 
think that infinitely many of these numbers are Gaussian primes? 

3. Determine whether two randomly selected Gaussian integers are relatively prime, and by 
doing this repeatedly, estimate the probability that two randomly selected Gaussian integers 
are relatively prime. 

Programming Projects 

1. Find a greatest common divisor of two Gaussian integers using a version of the Euclidean 
algorithm for Gaussian integers. 

2. Express a greatest common divisor of two Gaussian integers as a linear combination of these 
Gaussian integers. 

3. Keep track of the number of steps used by the version of the Euclidean algorithm for Gaussian 
integers that uses the construction in the proof of the division algorithm for Gaussian integers 
to find quotients and remainders. 

4. Find the unique factorization of a Gaussian integer into a unit times Gaussian primes, where 
each Gaussian prime in the factorization is in the first quadrant. 


14.3 Gaussian Integers and Sums of Squares 

In Section 13.3, we determined which positive integers are the sum of two squares. In 
this section, we will show that we can prove this result using what we have learned about 
Gaussian primes. We will also be able to determine the number of different ways that a 
positive integer can be written as the sum of two squares using Gaussian primes. 

In Section 13.3, we proved that every prime of the form Ak + 1 is the sum of two 
squares. We can prove this fact in a different way using Gaussian primes. 

Theorem 14. 1 1 . If p is a rational prime of the form Ak + 1, where kisa positive integer, 
then p is the sum of two squares, which these squares are unique up to their order. 

Proof. Suppose that p is of the form Ak + 1, where k is a positive integer. To prove that 
p can be written as the sum of two squares, we show that p is not a Gaussian prime. By 
Theorem 1 1.5, we know that — 1 is a quadratic residue of p. Consequently, we know that 
there is a rational integer t such that t 2 = — 1 (mod p). It follows that p \ (t 2 + 1). We 
can use this divisibility relation for rational integers to conclude that p \ (t + i)(t — i). 
If p is a Gaussian prime, then by Lemma 14.1, it follows that p \ t + i or p \ t — i. Both 
of these cases are impossible because the Gaussian integers divisible by p have the form 
p(a + bi ) = pa + pbi, where a and b are rational integers. Neither t + i nor t — i has 
this form. We can conclude that p is not a Gaussian prime. 

Because p is not a Gaussian prime, there are Gaussian integers a and neither a 
unit, such that p = a fi. Taking norms of both sides of this equation, we fi nd that 


N(p) = p 2 = N(afi) = N(a)N(P). 
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Because neither a nor /J is a unit, N(a) ^ 1 and N(fi) ^ 1. This implies that N (a) = 
N(fi) = p. Consequently, if a = a + bi and fi = c + di, we know that 

p = N(a) = a 2 + b 2 and p = N(fi) = c 2 + d 2 . 

It follows that p is the sum of two squares. 

We leave the proof that p can be written uniquely as the sum of two squares to the 
reader. ■ 

To find which rational integers are the sum of two squares, we will need to determine 
which rational integers are Gaussian primes and which factor into Gaussian primes. To 
accomplish that task, we will need the following lemma. 

Lemma 14.3. If it is a Gaussian prime, then there is exactly one rational prime p such 
that jt divides p. 

Proof. We first factor the rational integer N(jt) into prime factors, say, N(ir) = 
P\P 2 • • • Pt, where pj is prime for j = 1 , 2, . . . , t. Because N(n) = jtjt, it follows 
that jt | N(jt), so that jt \ p x p 2 ■ ■ ■ p t . By Lemma 14.2, it follows that jt \ pj for some 
integer j with 1 < j < t. We have shown that jt divides a rational prime. 

To complete the proof, we must show that jt cannot divide two different rational 
primes. So suppose that jt \ pi and jt \ p 2 , where p\ and p 2 are different rational primes. 
Because p\ and p 2 are relatively prime, by Corollary 3.8.1, there are rational integers m 
and n such that mp\ + np 2 = 1 . Moreover, because jt \ p x and n \ p 2 , we see that n \ 1 
(using the divisibility property in Exercise 8 of Section 14.1). But this implies that n is 
a unit, which is impossible, so n does not divide two different rational primes. ■ 

We can now determine which rational primes are also Gaussian primes and the 
factorization into Gaussian primes of those that are not. 

Theorem 14.12. If p is a rational prime, then p factors as a Gaussian integer according 
to these rules: 

(i) If p = 2, then p = — i(l + i) 2 = i(l — i) 2 , where 1 + i and 1 — i are both 
Gaussian primes with norm 2. 

(ii) If p = 3 (mod 4), then p = it is a Gaussian prime with N(ir) = p 2 . 

(iii) If p = 1 (mod 4), then p = Tin', where tt and jt' are Gaussian primes that are 
not associates with N(jt) = N(jt') = p. 

Proof. To prove (i), we note that 2 = — i(l + i) 2 = i(l — i) 2 , where the factors —i andi 
are units. Furthermore, tV(1 + i ) = iV(l - i) = l 2 + l 2 = 2. Since iV(l + i) = JV(1 - i) 
is a rational prime by Theorem 14.5, it follows that 1 + i and 1 — i are Gaussian primes. 

To prove (ii), let p be a rational prime with p = 3 (mod 4). Suppose that p = aft, 
where a and f are Gaussian integers with a = a + bi and f = c + di and neither 
a nor f is a unit. By part (ii) of Theorem 14.1, it follows that N(p) = N(af) = 
Because N(p) = p 2 , N(a) = a 2 + b 2 , and N(fi) = c 2 + d 2 , we see that 
p 2 = ( a 2 + b 2 ){c 2 + d 2 ). Neither a nor fi is a unit, so neither has norm 1. It follows 
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that N(a ) = a 2 + b 2 = p and N(f) = c 2 + d 2 = p. However, this is impossible because 
p = 3 (mod 4), so that p is not the sum of two squares. 

To prove (iii), let p be a rational prime with p = 1 (mod 4). By Theorem 14.11, 
there are integers a and b such that p = a 2 + b 2 . If ttj = a — bi and tt 2 = a + bi, then 
p 2 = N(p) = N(7ii)N(n 2 ), so that N(nf) = N{n 2 ) = p. It follows by Theorem 14.5 
that tt 1 and n 2 are Gaussian primes. 

Next, we show that tt^ and n 2 are not associates. Suppose that tt^ = €ir 2 , where e is 
a unit. Because e is a unit, e = 1, — 1, i, or — i. 

If e = 1, then 7i i = tt 2 . This means that a + bi = a — bi, so that b = 0. This implies 
that p = a 2 + b 2 = a 2 , which is impossible because p is prime. Similarly, when e = — 1, 
then 7ti = —tt 2 . This implies that a + bi = — a + bi, which makes a = 0. This implies 
that b 2 = p, which is also impossible. If e = i, then a + ib = i(a — ib) = b + ia, so 
that a = b. Similarly, if e = — i, then a + ib = —i(a — ib), so that a = —b. In both of 
these cases, p =a 2 + b 2 = 2a 2 , which is impossible because p is an odd prime. We have 
shown that all four possible values of e are impossible. It follows that and n 2 are not 
associates, completing the proof of (iii). ■ 

We have all the ingredients we need to determine the number of representations of 
a positive integer as the sum of two squares using the unique factorization theorem for 
the Gaussian integers. Recall that we determined which positive integers can be written 
as the sum of two squares in Theorem 13.6 in Section 13.3. 

Theorem 14.13. Suppose that n is a positive integer with prime power factorization 
n = 2 m p e l l p e 2 2 • • • p e /q( l q 2 2 ■ • • q{', 

where m is a nonnegative integer, p h p 2 , . . . , p s are primes of the form 4k + 1, q h 
q 2 , . . . , q t are primes of the form 4k + 3, e h e 2 . . . , e s are nonnegative integers, and 
f\,f 2 , ■■■, f t are even nonnegative integers. Then there are 

4(ei + l)(e 2 + 1) * * • (e s + 1) 

ways to express n as the sum of two squares. (Here the order in which squares appear in 
the sum and the sign of the integer being squared both matter.) 

Proof. To count the number of ways to write n as the sum of the squares, that is, the 
number of solutions (a, b) of n = a 2 + b 2 , we can count the number of ways to factor n 
into Gaussian integers a + ib and a — ib, that is, to write n = (a + ib)(a — ib). 

We will use the factorization of n to count the number of ways we can factor 
n as the product of two conjugates, that is, n = (a + ib)(a — ib). First, note that by 
Theorem 14.11, for each prime p k of the form 4k + 1 that divides n, there are integers 
a k and b k such that p k = a 2 + b 2 . Also note that because 1 + i = i(l — i), we have 
2 m = (1 + i) m (l - i) m = (i(l - i)) w ( 1 - i) m = n 1 - i) 2m . 

Consequently, we have 
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n = i m { 1 - i) 2m (a x + bt) e Ka x - b x iY\a 2 + b 2 i) e *(a 2 - b 2 i) e ' 2 

■ ■ ■ (a s - b s i) 6s (a s + bjY'q^q^ 2 ■ ■ ■ q/‘. 

Next, note that € = i m is a unit because it takes on one of the values 1, — 1, i , or — i . This 
means that a factorization of n into the product of a unit and Gaussian primes is 

n = €( 1 - i) 2m (a x + b^YKa x - ft 1 i) ei (a 2 + b 2 iY 2 (.a 2 - b 2 iY 2 

■ ■ ■(«* + b s iY s ( a s - b $ i Y s q\ fl q 2 h ■ ■ ■ q/‘- 

Because the Gaussian integer u + iv divides n, its factorization into a unit and Gaussian 
primes must have the form 

u + iv = e 0 (l - i) w (a x + b x i) 8 \a x - b x i) h \a 2 + b 2 i) g2 {a 2 - b 2 i) hl 
■••(a s + b s iY s (a s ~ b s i) h °q\ x q 2 2 • • • qfi, 

where e 0 is a unit, w, g x , . . . , g s , h h . . . , h s , and k h . . . , k t are nonnegative integers 
with 0 < w < 2m, 0 < g, < e h 0 < h t < e t for i = 1, . . . , s, and 0<kj < fj for j = 
1 

Forming the conjugate of u + iv, we find 

u — iv = ?^(1 + i) w (a x - b x i) g \a x + b x i) hl (a 2 - b 2 i) g2 (a 2 + b 2 i) h 2 
• * • (a s ~ b si) 8s (a s + b s i) hs q k x q 2 ■ • • q? 1 . 

We can now rewrite the equation n = (u + iv)(u — iv) as 

» = 2>f pf+V 

Comparing this with the factorization of n into a unit and Gaussian primes, we 
see that w = m, g t + h t = ej for i = 1, . . . , s, and 2 kj = fj for j = 1, . . . , t. We 
see that the values of w and k t for j = \, ... ,t are determined, but we have e, + 1 
choices for g t , namely, g t = 0, 1, 2, . . . , e t , and that once g f is determined, so is 
/i, = e t — g t . Furthermore, we have four choices for the unit e 0 - We conclude that there 
are 4(e x + l)(c 2 + 1) • • • (e s + 1) choices for the factor u + iv and for the number of 
ways to write n as the sum of two squares. ■ 

Example 14.11. Suppose that n = 25 = 5 2 . Then by Theorem 14.13, there are 4 • 3 = 
12 ways to write 25 as the sum of two squares. (These are (±3) 2 + (±4) 2 , (±4) 2 + (±3) 2 , 
(±5) 2 + 0 2 , and 0 + (±5) 2 . Note that the order in which terms appear matters when we 
count these representations.) 

Suppose that n = 90 = 2 • 5 • 3 2 . Then by Theorem 14.13, there are 4 • 2 = 8 ways 
to write 90 as the sum of two squares. (These are (±3) 2 + (±9) 2 and (±9) 2 + (±3) 2 . 
Note that the order in which terms appear matters when we count these representations.) 

Let n = 16,200 = 2 3 • 5 2 • 3 4 . By Theorem 14.13, there are 4 • 3 = 12 ways to write 
16,200 as the sum of two squares. We leave it to the reader to find these representations. 
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Conclusion 

In this section, we used the Gaussian integers to study the solutions of the diophantine 
equation x 2 + y 2 = n, where n is a positive integer. The Gaussian integers are useful 
in studying a variety of other types of diophantine equations. For example, we can 
find Pythagorean triples using the Gaussian integers (Exercise 7), and we can find the 
solutions in rational integers of the diophantine equation x 2 + y 2 = z 3 (Exercise 8). 


14.3 Exercises 

1. Determine the number of ways to write each of the following rational integers as the sum of 
squares of two rational integers. 

a) 5 b) 20 c) 120 d) 1000 

2. Determine the number of ways to write each of the following rational integers as the sum of 
squares of two rational integers. 

a) 16 b) 99 c) 650 d) 1,001,000 

3. Explain how to solve a linear diophantine equation of the form ax + fiy = y, where a, fi, 
and y are Gaussian integers, so that the solution (x, y) is a pair of Gaussian integers. 

4. Find all solutions in pairs of Gaussian integers (x, y ) of each of these linear diophantine 
equations. 

a) (3 + 2i)x + 5y = li b) 5x + (2 - i)y = 3 

5. Find all solutions in pairs of Gaussian integers (x, y) of each of the following linear diophan- 
tine equations. 

a) (3 + 4 i)x + (3 - i)y = 7 i b) (7 + i)x + (7 - i)y = 1 

6. Explain how to solve a linear diophantine equation of the form ax + / By + 8z = y, where a, 
P, 8, and y are Gaussian integers, so that the solution (x, y, z) is a triple of Gaussian integers. 

7. Prove the uniqueness part of Theorem 14.1 1. That is, show that if p is a prime of the form 
4& + 1 and p — a 2 + b 2 — c 2 + d 2 where a, b, c and d are integers, then either a 2 — c 2 and 
b 2 = d 2 or a 2 = d 2 and b 2 = c 2 . 

8. In this exercise, we will use the Gaussian integers to find the solutions in pairs (x, y) of 
rational integers of the diophantine equation x 2 + 1 = y 3 . 

a) Show that if x and y are integers such that x 2 + 1 = y 3 , then x — i and x + i are relatively 
prime. 

b) Show that there are integers r and s such that x = r 3 — 3 rs 2 and 3 r 2 s — s 3 = 1. (Hint: 
Use part (a) and Exercise 10 in Section 14.2 to show that there is a unit e and a Gaussian 
integer 8 such that x + i — (e8) 3 .) 

c) Find all solutions in integers x 2 + 1 = y 3 by analyzing the equations for r and s in part 
(b). 

9. Use the Gaussian integers to prove Theorem 13.1 in Section 13.1, which gives primitive 
Pythagorean triples, that is, solutions of the equation x 2 + y 2 = z 2 in integers x, y, and 
z, where x, y, and z are pairwise relatively prime. (Hint: Begin with the factorization 
x 2 + y 2 — (x + iy)(x — iy). Show that x + iy and x — iy are relatively prime Gaussian 
integers, and then use Exercise 10 in Section 14.1.) 
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Use the Gaussian integers to find all solutions of the diophantine equation x 2 + y 2 = z 3 in 
rational integers x,y, and z. 

Prove the analog of Fermat’s little theorem for the Gaussian integers, which states that if a 
and tc are relatively prime, then = \ (mod7r). (Hint: Suppose that p is the unique 

rational prime with it \ p. Consider separately the cases where p = 1 (mod 4), p = 2 (mod 4), 
and p = 3 (mod 4).) 

Define <fr(y ), where y is a Gaussian integer, to be the number of elements in a reduced residue 
system modulo y . Prove the analog of Euler’s theorem for the Gaussian integers, which states 
that if y is a Gaussian integer and a is a Gaussian integer that is relatively prime to y, then 

a 0(y) = i ( m od y). 

Prove the analog of Wilson’s theorem for the Gaussian integers, which states that if ir is a 
Gaussian prime and {a^, a 2 , ■ ■ . , a r } is a reduced system of residues modulo it, then 

aia 2 • • • a r = -1 (mod jt). 

Show that in the Eisenstein integers (defined in Exercise 42 in Section 14.2), 

a) the rational prime 2 is an Eisenstein prime. 

b) a rational prime of the form 3k + 2, where A; is a positive integer, is an Eisenstein prime. 

c) a rational prime of the form 3k + 1, where A; is a positive integer, factors into the product 
of two primes that are not associates of one another. 

Computations and Explorations 

1. In Chapter 13, we mentioned that Catalan’s conjecture has been settled, showing that 2 3 and 
3 2 are the only powers of rational integers that differ by 1. An open question for Gaussian 
integers is to find all powers of Gaussian integers that differ by a unit. Show that (11+ 1 lz) 2 
and (3z) 5 , (1 - i) 5 and (1 + 2 i) 2 , and (78 + 78z') 2 and (23z) 3 are such pairs of powers. Can 
you find other such pairs? 

2 . Show that (3 + 13z) 3 + (7 + z) 3 = (3 + 10z) 3 + (1 + 10z) 3 , (6 + 3z) 4 + (2 + 6z) 4 = (4 + 
2i') 4 + (2 + i ) 4 , (2 + 3z') 5 + (2 - 3i) 5 = 3 5 + 1, (1 + 6z) 5 + (3 - 2i) 5 = (6 + i) 5 + (-2 + 
3z) 5 , (9 + 6z') 5 + (3 - 10z) 5 = (6 + z) 5 + (6 - 5z') 5 , and (15 + 14z) 5 + (5 - 18z) 5 = (18 - 
7z') 5 + (2 + 3z') 5 . Can you find other solutions of the equation x n + y n = w n + z n , where 
x, y, z, and w are Gaussian integers and n is a positive integer? 

3. Show that Beal’s conjecture, which asserts that there are no nontrivial solutions of the 
diophantine equation* 0 + y b = z c , where a, b, and c are integers with a > 3, b > 3, and c > 3, 
does not hold when x,y, and z are allowed to be pairwise relatively prime Gaussian integers 
by showing that (—2 + i) 3 + (—2 — z) 3 = (1 + z') 4 . Can you find other counterexamples? 

Programming Projects 

1. Find the number of ways to write a positive integer n as the sum of two squares. 

2 . Find all representations of a positive integer n as the sum of two squares. 
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14 . 




Axioms for the Set 
of Integers 


In this appendix, we state a collection of fundamental properties for the set of integers 
{. . . , —2, —1, 0, 1, 2, . . .} that we have taken as axioms in the main body of the text. 
These properties provide the foundations for proving results in number theory. We begin 
with properties dealing with addition and multiplication. As usual, we denote the sum 
and product of a and b by a + b and a • b, respectively. Following convention, we write 
ab for a • b. 

• Closure: a + b and a b are integers whenever a and b are integers. 

• Commutative laws: a + b = b + a and a • b = b • a for all integers a and b. 

• Associative laws: (a + b) + c = a + (b + c) and (a b) • c = a • (b • c) for all integers 
a, b, andc. 

• Distributive law: (a + b) • c — a • c + b • c for all integers a, b, and c. 

• Identity elements: a + 0 = a and a ■ \ — a for all integers a. 

• Additive inverse: For every integer a there is an integer solution x to the equation 
a + x = 0; this integer x is called the additive inverse of a and is denoted by —a. By 
b — a, we mean b + (—a). 

• Cancellation law: If a, b, and c are integers with a • c = b • c, c 7^ 0, then a = b. 

We can use these axioms and the usual properties of equality to establish additional 
properties of integers. An example illustrating how this is done follows. In the main body 
of the text, results that are easily proved from these axioms are used without comment. 

Example A.l. To show that 0 • a = 0, begin with the equation 0 + 0 = 0; this holds 
because 0 is an identity element for addition. Next, multiply both sides by a to obtain 
(0 + 0) • a = 0 • a. By the distributive law, the left-hand side of this equation equals 
(0 + 0) • a = 0 • a + 0 • a. Hence, 0-a + 0- a = Q-a. Next, subtract 0 • a from both 
sides (which is the same as adding the inverse of 0 • a). Using the associative law for 
addition and the fact that 0 is an additive identity element, the left-hand side becomes 
0 • a + (0 ■ a — 0a)=0a + 0 = 0a. The right-hand side becomes 0 • a - 0 • a — 0. 
We conclude that 0 • a = 0. ◄ 

Ordering of integers is defined using the set of positive integers {1, 2, 3, . . .}. We 
have the following definition. 

Definition. If a and b are integers, then a <b if b — a is a positive integer. If a < b, 
we also write b > a. 
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Note that a is a positive integer if and only if a > 0. 

The fundamental properties of ordering of integers follow. 

• Closure for the positive integers: a + b and a b are positive integers whenever a and 
b are positive integers. 

• Trichotomy law: For every integer a, exactly one of the statements a > 0, a = 0, and 
a < 0 is true. 

The set of integers is said to be an ordered set because it has a subset that is closed 
under addition and multiplication and because the trichotomy law holds for every integer. 

Basic properties of ordering of integers can now be proved using our axioms, as the 
following example shows. Throughout the text, we have used without proof properties 
of ordering that easily follow from our axioms. 

Example A.2. Suppose that a, b, and c are integers with a < b and c > 0. We can 
show that ac < be. First, note that by the definition of a < b we have b — a > 0. 
Because the set of positive integers is closed under multiplication, c(b — a) > 0. Because 
c(b — a) = cb — ca, it follows that ca < cb. ◄ 

We need one more property to complete our set of axioms. 

• The well-ordering property: Every nonempty set of positive integers has a least ele- 
ment. 

We say that the set of positive integers is well ordered. On the other hand, the set of all 
integers is not well ordered, because there are sets of integers that do not have a smallest 
element (as the reader should verify). Note that the principle of mathematical induction 
discussed in Section 1.3 is a consequence of the set of axioms listed in this appendix. 
Sometimes, the principle of mathematical induction is taken as an axiom replacing 
the well-ordering property. When this is done, the well-ordering property follows as 
a consequence. 


Exercises 

1. Use the axioms for the set of integers to prove the following statements for all integers a, b, 
and c. 

a ) a-(b + c)=a-b + a- c c) a + (b + c) = (c + a) + b 

b) ( a + b ) 2 = a 2 + 2 ab + b 2 d) (b - a) + (c - b) + (a - c) = 0 

2. Use the axioms for the set of integers to prove the following statements for all integers a and 
b. 

a) (-1) • a = —a c) (-a) • (-1) = ab 

b) -(a b)=a- (-b) d) -(a +b) = (-a) + (-b) 

3. What is the value of -0? Give a reason for your answer. 
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4. Use the axioms for the set of integers to show that if a and b are integers with ab = 0, then 
a = 0 or b = 0. 

5. Show that an integer a is positive if and only if a > 0. 

6. Use the definition of the ordering of integers, and the properties of the set of positive integers, 
to prove the following statements for integers a, b, and c with a < b and c < 0. 

a) a + c < b + c c) ac > be 

b) a 2 > 0 d) c 3 < 0 

7. Show that if a, b, and c are integers with a > b and b > c, then a > c. 

8. Show that there is no positive integer that is less than 1. 
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B 


Sums of two terms are called binomial expressions. Powers of binomial expressions are 
used throughout number theory and throughout mathematics. In this section, we will 
define the binomial coefficients and show that these are precisely the coefficients that 
arise in expansions of powers of binomial expressions. 


Definition. Let m and k be nonnegative integers with k <m. The binomial coefficient 
(™) is defined by 


( m\ ml 

k)~ k\irn-k)\ 

When k and m are positive integers with k > m, we define (™) = 0. 


In computing (™), we see that there is a good deal of cancellation, because 

/ m\ ml 1 • 2 • 3 • (m — k) (m — k + 1) • • • (m — 1 )m 

U/ = kl(m-k)l~ kl l-2-3---(m-fc) 

(m — k + 1) (m — 1 )m 

= Id ' 


Example B.l. To evaluate the binomial coefficient Q, we note that 

/7\_ 7! _ l-2-3-4-5-6-7 _ 5-6-7 _ 35 
\3/ 3!4! 1-2-3-1-2-3-4 1-2-3 


We now prove some simple properties of binomial coefficients. 
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Theorem B.l. Let n and k be nonnegative integers with k < n. Then 



Proof. To see that (i) is true, note that 



0 _ n - _ n - _ i 

n !0! n ! 


To verify (ii), we see that 

0 _ n\ _ n\ _ f n \ 

k\(n — k)\ (n - k)!(n - (n — k))! \n - k) 

An important property of binomial coefficients is the following identity. 

Theorem B.2. Pascal’s Identity. Let n and k be positive integers with n > k. Then 

(;K-, Mr> 

Proof. We perform the addition 

(•W • ). " ! + -i 

W \k-lj k\(n —k)\ (k — l)!(n — ft + 1)! 
by using the common denominator kl(n —k+ 1)!. This gives 

O f n \_ nKn-k + l) n\k 

+ \k- 1/ k\(n -k + 1)! + k\(n -k+ 1)! 

_ nl((n - k + 1) + k) 
k!(n-k + 1)! 

_ n!(n + 1) 

~ k!(n-k + 1)1 
(n + 1)! 
k\(n-k + Y)l 

-cr) 

Using Theorem B.2, we can construct Pascal's triangle, named after French math- 
ematician Blaise Pascal, who used the binomial coefficients in his analysis of gambling 
games. In Pascal’s triangle, the binomial coefficient (^) is the (k + 1) st number in the 
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( n + l)st row. The first nine rows of Pascal’s triangle are displayed in Figure B.l. Pas- 
cal’s triangle appeared in Indian and Islamic mathematics several hundred years before 
it was studied by Pascal 


1 

1 2 1 
13 3 1 
1 4 6 4 1 
1 5 10 10 5 1 
1 6 15 20 15 6 1 
1 7 21 35 35 21 7 1 
1 8 28 56 70 56 28 8 1 

Figure B.1 Pascal’s triangle. 

We see that the exterior numbers in the triangle are all 1. To find an interior number, 
we simply add the two numbers in the positions above, and to either side, of the position 
being filled. From Theorem B.2, this yields the correct integer. 

Binomial coefficients occur in the expansion of powers of sums. Exactly how they 
occur is described by the binomial theorem. 

Theorem B.3. The Binomial Theorem. Let x and y be variable, and n be a positive 
integer. Then 

«* + yr = (")*" + (")*"-'> + g)*"V + • • • 

or, using summation notation, 


BLAISE PASCAL (1623-1662) exhibited his mathematical talents early even 
though his father, who had made discoveries in analytic geometry, kept math- 
ematical books from him to encourage his other interests. At 16, Pascal dis- 
covered an important result concerning conic sections. At 18, he designed a 
calculating machine, which he had built and successfully sold. Later, Pascal 
made substantial contributions to hydrostatics. Pascal, together with Fermat, 
laid the foundations for the modern theory of probability. It was in his work 
on probability that Pascal made new discoveries concerning what is now called 
Pascal’s triangle, and gave what is considered to be the first lucid description of the principle of 
mathematical induction. In 1654, catalyzed by an intense religious experience, Pascal abandoned his 
mathematical and scientific pursuits to devote himself to theology. He returned to mathematics only 
once: one night, he had insomnia caused by the discomfort of a toothache and, as a distraction, he 
studied the mathematical properties of the cycloid. Miraculously, his pain subsided, which he took as 
a signal of divine approval of the study of mathematics. 
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Proof. We use mathematical induction. When n = 1, according to the binomial theorem, 
the formula becomes 


But because (q) = (j) = 1, this states that (* + y ) 1 = x + y, which is obviously true. 
We now assume that the theorem is true for the positive integer n, that is, we assume 


"'-SO- 


We must now verify that the corresponding formula holds with n replaced by n + 1, 
assuming the result holds for n. Hence, we have 

C x+y) n+1 = (x+y) n (x+y ) 




We see, by removing terms from the sums and subsequently shifting indices, that 


sO-'-v 


£ ("V-v +i =i: ("V v +i +/ 

j = 0 'J' j = o 'J' 

-SC-0-'* v " 


Hence, we find that 


(x + y) n+l = x n+l + 


sio- 


By Pascal’s identity, we have 
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so we conclude that 


( x + y) n+1 = x n+l + 


J2 (” | l ^x n ~ j+1 y j + y n+1 . 



This establishes the theorem. ■ 

The binomial theorem shows that the coefficients of (jc + y) n are the numbers in the 
(n + l)st row of Pascal’s triangle. 

We now illustrate one use of the binomial theorem. 


Corollary B.l. Let n be a nonnegative integer. Then 

Proof. Let jc = 1 and y = 1 in the binomial theorem. ■ 

Corollary B.l shows that if we add all elements of the (n + l)st row of Pascal’s 
triangle, we get 2". For instance, for the fifth row, we find that 



= 1 + 4 + 6 + 4+ 1= 16 = 2 4 . 


Exercises 

1. Find the value of each of the following binomial coefficients. 

<0 (7) a)© e)0 

■»(?) <0© Offl 

2. Find the binomial coefficients ( 3 ), ( 4 ), and ( 4 °), and verify that ( 3 ) + ( 4 ) = ( 4 °). 

3. Use the binomial theorem to write out all terms in the expansions of the following expressions. 

a) (a + b ) 5 c) ( m - n) 1 e) (3* - 4y ) 5 

b) (jc + y ) 10 d) (2a + 3b) 4 f) (5x + 7 ) 8 

4 . What is the coefficient of jc"y 101 in (2 jc + 3y) 200 ? 

5. Let n be a positive integer. Using the binomial theorem to expand (1 + (—1))", show that 

k=o w 


6. Use Corollary B.l and Exercise 5 to find 

(KM:)- 
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and 



+ • • • . 


7. Show that if n, r, and k are integers with 0 <k<r<n, then 



8. What is the largest value of (”), where m is a positive integer and n is an integer such that 
0 < n < m? Justify your answer. 

9. Show that 

CMr)* *(:)-(:::)■ 

where n and r are integers with 1 < r < n. 


The binomial coefficients (*) , where x is a real number and n is a positive integer, can be defined 
recursively by the equations (*) = x and 



x — n 
n -T 1 


CD- 


10. Show from the recursive definition that if x is a positive integer, then (£) = kl ^ k y , where k 
is a integer with 1 < k < x. 

11. Show from the recursive definition that if x is a positive integer, then (*) + ( n * J = (*+}), 
whenever n is a positive integer. 

12. Show that the binomial coefficient (£), where n and k are integers with 0 < k < n, gives the 
number of subsets with k elements of a set with n elements. 


13. Use Exercise 12 to give an alternate proof of the binomial theorem. 

14. Let S be a set with n elements and let and P 2 be two properties that an element of S may 
have. Show that the number of elements of S possessing neither property P 3 nor property P 2 
is 


n-[n(Pi)+n(P 2 )-n(P h P 2 )\, 

where n(Pi), n(P 2 ), and n(P\, P 2 ) are the number of elements of S with property P h with 
property P 2 , and both properties P x and P 2 , respectively. 

15. Let S be a set with n elements and let P h P 2 , and P 3 be three properties that an element S 
may have. Show that the number of elements of S possessing none of the properties P h P 2 , 
and P 3 is 

n - [n(Pi) + n(P 2 ) + n(P 3 )] 

- n(P h P 2 ) - n(P h P 3 ) - n(P 2 , P 3 ) + n(P h P 2 , P 3 )l 
where n(P iv . . . , P ik ) is the number of elements of S with properties P i{ . . . , P ik . 

16. In this exercise, we develop the principle of inclusion-exclusion. Suppose that S is a set with 
n elements and let P h P 2 , . . . , P t be t different properties that an element of S may have. 
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Show that the number of elements of S possessing none of the t properties is 

n — [»(/*!) + n(/»a) H 1 - n(/» r )] 

+ 1 n(P \ , P 2 ) + n(P h P 3 ) + • • • + n(P t _i, p t )] 

- [n(P h P 2 , P 3 ) + n(P h P 2 , P 4 ) + --- + n(P t _ 2 , P t _ h P t )] 

+ ••• + (-1 ) t n(P h P 2 ,...,P t ), 

where n(P i{ , P, 2 , . . . , P t .) is the number of elements of S possessing all of the properties 
P i{ , P i2 , , Pi.. The first expression in brackets contains a term for each property, the 
second expression in brackets contains terms for all combinations of two properties, the third 
expression contains terms for all combinations of three properties, and so forth. (Hint: For 
each element of S, determine the number of times it is counted in the above expression. If an 
element has k of the properties, show that it is counted 1 — (*) + ( 2 ) — ' ‘ ' + ( — !)*(*) times; 
this is 0 when k > 0, by Exercise 5.) 

17. What are the coefficients of (x r + x 2 -\ — • + x m )"l These coefficients are called multinomial 
coefficients. 

18. Write out all terms in the expansion of (x + y + z) 1 . 

19. What is the coefficient of x 3 y 4 z 5 in the expansion of (2x — 3y + 5z) 12 ? 

Computational and Programming Exercises 

1. Find the least integer n such that there is a binomial coefficient (^), where k is a positive 
integer greater than 1,000,000. 

Programming Projects 

1. Evaluate binomial coefficients. 

2. Given a positive integer n, print out the first n rows of Pascal’s triangle. 

3. Expand (x + y) n , given a positive integer n, using the binomial theorem. 



C Using Maple and Mathematica 
for Number Theory 


Investigating questions in number theory often requires computations with large integers. 
Fortunately, there are many tools available today that can be used for such computations. 
This appendix describes how two of the most popular of these tools, Maple and Mathe- 
matica, can be used to perform computations in number theory. We will concentrate on 
existing commands in these two systems, both of which support extensive programming 
environments that can be used to create useful programs for studying number theory. We 
will not describe these programming environments here. 


C.1 Using Maple for Number Theory 

The Maple system is a comprehensive environment for numerical and symbolic compu- 
tations. It can also be used to develop additional functionality. We will briefly describe 
some of the existing support for number theory in Maple. For additional information 
about Maple, consult the Maple Web site at http://www.maplesoft.com. 

In Maple, commands for computations in number theory can be found in the 
numtheory package. Some useful commands for number theory are included in the 
standard set of Maple commands, and a few are found in other packages, such as the 
combinat package of combinatorics commands. You need to let Maple know when 
you want to use one or more commands from a package. This can be done in two 
ways: You can either load the package and then use any of its commands, or you can 
prepend the name of the package to a particular command. For example, after running 
the command with (numtheory) , you can use commands from the numtheory package 
as you would standard commands. You can also run commands from this package by 
simply prepending the name of the packagebefore the command. You will need to do this 
every time you use a command from the package, unless you run the with (numtheory) 
command. 

Additional Maple commands for number theory can be found in the Maple V Share 
Library, which can be accessed at the Maplesoft Application Center on the Web. 

A useful reference for using Maple to explore number theory (and other topics in dis- 
crete mathematics) is Exploring Discrete Mathematics with Maple [Ro97] (an updated 
version available will available at the Web site for the seventh edition of [Ro07]). This 
book explains how to use Maple to find greatest common divisors and least common mul- 
tiples, apply the Chinese remainder theorem, factor integers, run primality tests, find base 
b expansions, encrypt and decrypt using classical ciphers and the RS A cryptosystem, and 
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perform other number theoretic computations. Also, Maple worksheets for number the- 
ory and cryptography, written by John Cosgrave for a course at St. Patrick’s College in 
Dublin, Ireland, can be found at http://www.spd.dcu.ie/johnbcos/Maple_3rd_year.htm. 

Maple Number Theory Commands 

The Maple commands relevant to material in this text are presented according to the 
chapter in which that material is covered. These commands are useful for checking com- 
putations in the text, for working or checking some exercises, and for the computations 
and explorations at the end of each section. Furthermore, programs in Maple can be 
written for many of the explorations and programming projects listed at the end of each 
section. For information about programming in Maple, consult the appropriate Maple ref- 
erence materials, such as the introductory and advanced programming guides available 
on the Maplesoft Web site. 

Chapter 1 

combinat [f ibonacci] (n) computes the nth Fibonacci number. 

iquo C inti,int 2 ) computes the quotient when inti is divided by int 2 . 

irem (inti » ^ nt 2 ^ computes the remainder when inti * s divided by int 2 . 

floor ( expr ) computes the largest integer less than or equal to the real expression expr. 

numtheory [divisors] (n) computes the positive divisors of the integer n. 

Maple code for investigating the Collatz 3x + 1 problem has been written by Gaston 
Gonnet and is available in the Maple V Release 5 Share Library. 

Chapter 2 

convert (int, base, posint ) converts the integer int in decimal notation to a list 
representing its digits base posint. 

convert (mt .binary) converts the integer int in decimal notation to its binary equiv- 
alent. 

convert (int, hex) converts the integer int in decimal notation to its hexadecimal 
equivalent. 

convert (bin , decimal , binary) converts the integer bin in binary notation to its 
decimal equivalent. 

convert (oct , decimal , octal) converts the integer oct in octal notation to its decimal 
equivalent. 

convert (hex , decimal , octal ) converts the integer hex in hexadecimal notation to its 
decimal equivalent. 

Chapter 3 

isprime (n) tests whether n is prime. 

ithprime (n) calculates the nth prime number where n is a positive integer. 
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prevprime (n) calculates the largest prime smaller than the integer n. 
number-theory [fermat] (n) calculates the nth Fermat number, 
if actor (n) finds the prime-power factorization of an integer n. 
if actors (n) finds the prime integer factors of an integer n. 

igcdCmtj, . . . , int n ) computes the greatest common divisor of integers int h . . . , int n . 
igcd ex(int h int 2 ) computes the greatest common divisor of the integers int\ and int 2 
using the extended Euclidean algorithm, which also expresses the greatest common 
divisor as a linear combination of int\ and int 2 . 

ilcm( int h . . . , int n ') computes the least common multiple of the integers int h . . . , int n . 

Chapter 4 

The operator mod can be used in Maple; for example, 17 mod 4 tells Maple to reduce 17 
to its least residue modulo 4. 

msolve C eqn,m ) finds the integer solutions modulo m of the equation eqn. 
chremCfn! . . . , n r ], [m h . . . , m r ]) computes the unique positive integer int such that 
int mod m ( - = n,- for i = 1 , . . . , r. 

Chapter 6 

numtheory [phi] (n) computes the value of the Euler phi function at n. 

Chapter 7 

numtheory [invphi] (n) computes the positive integers m with 0(m) = n. 
numtheory [sigma] (n) computes the sum of the positive divisors of the integer n. 
numtheory [tau] (n) computes the number of positive divisors of the integer n. 
numbertheory [bigomega] (n) computes the value of £2(n), the number of prime 
factors of n. 

numtheory [mersenne] ( n ) determines whether the nth Mersenne number M n = 2 n — 
1 is prime. 

numtheory [mobius] (n ) computes the value of the Mobius function at the integer n. 
combinat [partition] (n) lists all partitions of the positive integer n. 
combinat [part it ion] (n , m ) lists all patitions of the positive integer n with all parts 
not exceeding m. 

Chapter 9 

numtheory [order] (n b n 2 ) computes the order of n x modulo n 2 . 
numtheory [primroot] (n) computes the smallest primitive root modulo n. 
numtheory [mlog] (n l5 n 2 , n 3 ) computes the index, or discrete logarithm, of n\ to the 
base n 2 modulo n 3 . (The function numtheory [index] (n l5 n 2 , n 3 ) is identical to this 
function.) 
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numtheory [lambda] (n) computes the minimal universal exponent of n. 

Chapter 11 

numtheory [quadres] (int h int 2 ) determines whether int x is a quadratic residue mod- 
ulo int 2 . 

numtheory [legendre] (n h n 2 ) computes the value of the Legendre symbol 

numtheory [jacobi] (n h n 2 ) computes the value of the Jacobi symbol 
numtheory [msqrt] (n 1? n 2 ) computes the square root of n x modulo n 2 . 

Chapter 12 

numtheory [pdexpand] (rat) computes the periodic decimal expansion of the rational 
number rat. 

numtheory [cf rac] (rat) computes the continued fraction of the rational number rat. 
numtheory [invcf rac] (cf) converts a periodic continued fraction cf to a quadratic 
irrational number. 

Chapter 13 

numtheory [sum2sqr] (n) computes all sums of two squares that sum to n. 

Chapter 14 

Maple supports a special package for working with Gaussian integers. To use the com- 
mands in this package, first run the command 

with(GaussInt) ; 

After running this command, you can add, subtract, multiply, and form powers of 
Gaussian integers using the same operators as you ordinarily do. Maple requires that you 
enter the Gaussian integer a + ib as a + b*I. (That is, you must include the * operator 
between b and the letter I, which Maple uses to represent the imaginary number i.) 

Gauss Int [GInearest] (c) returns the Gaussian integer closest to the complex number 
c, where the Gaussian integer of smallest norm is chosen in the case of ties. 

Gausslnt [Glquo] (m,n) finds the Gaussian integer quotient when m is divided by n. 
Gauss Int [GIrem] (m, n) finds the remainder Gaussian integer divisor when m is 
divided by n. 

Gausslnt [GInorm] (m) gives the norm of the complex number m. 

Gausslnt [GIprime] (m) returns true when m is a Gaussian prime and false otherwise. 
Gausslnt [Gif act or] (m ) returns a factorization of m into a unit and Gaussian primes. 
Gausslnt [Gif actors] (m) finds a unit and Gaussian prime factors and their multi- 
plicities in a factorization of the Gaussian integer m. 

Gausslnt [GIs ieve] (m ) , where m is a positive integer, generates a fist of Gauss primes 
a + ib with 0 < a < b and norm not exceeding m 2 . 
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Gausslnt [GIdi visor] (m) finds the set of divisors of the Gaussian integer m in the 
first quadrant. 

Gausslnt [GInodiv] (m) computes the number of nonassociated divisors of m. 
Gausslnt [GIgcd] (m h m 2 , . . . , m r ) finds the greatest common divisor in the first 
quadrant of the Gaussian integers m h m 2 , . . . , m r . 

Gausslnt [GIgcdex] (a, b, ' s ' , ' t ' ) finds the greatest common divisor in the first 
quadrant of the Gaussian integers a and b and finds integers s and t such that as as + bt 
equals this greatest common divisor. 

Gausslnt [Glchrem] ([a 0 , a h , a r ], [n 0 , u h . . . , u r ]) computes the unique Gaus- 
sian integer m such that m is congruent to modulo u t for i = 1, 2, . . . , r. 

Gausslnt [Gllcm] (a h . . . , a r ) finds the least common multiple in the first quadrant 
(that is, with positive real part and nonnegalive part), in terms of norm, of the Gaussian 
integers a h . . . , a r . 

Gausslnt [GIphi] (n) returns the number of Gaussian integers in a reduced residue set 
modulo n, where n is a Gaussian integer. 

Gausslnt [Glquadres] (a, b) returns 1 if the Gaussian integer a is a quadratic residue 
of the Gaussian integer b and — 1 if a is a quadratic nonresidue of b. 

Appendices 

binomial (n, r) computes the binomial coefficient n choose r. 


C.2 Using Mathematics for Number Theory 

The Mathematica system provides a comprehensive environment for numerical and 
symbolic computations. It can also be used to develop additional functionality. We will 
describe the existing Mathematica support for computations relating to the number 
theory covered in this text. For additional information on Mathematica, consult the 
Mathematica Web site at http://www.mathematica.com. 

Mathematica supports many number theory commands as part of its basic system. 
Additional number theory commands can be found in Mathematica packages that are 
collections of programs implementing functions in particular areas. The Mathematica 
system bundles some add-on packages, called standard packages, with its basic of- 
ferings. These standard packages include a group supporting commands for functions 
from number theory, including ContinuedFractions , Fact orlnt egerECM , Num- 
berTheoryFunctions, and PrimeQ. There are other Mathematica packages that can 
be obtained using the Internet; access them at http://www.mathsource.com. Consult the 
Mathematica Book [Wo03] to learn how to load and use them. 

You cannot use a command form package without having first told Mathematica that 
you want to run commands from this package, which is done by loading it. For example, 
to load the package NumberTheoryFunctions, use the command 
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In [1] : =NumberTheory ‘ NumberTheory Functions 1 

Another resource for using Mathematica for number theory computations is Math- 
ematica in Action by Stan Wagon [Wa99]. This book contains useful discussions of how 
to use Mathematica to investigate large primes, run extended versions of the Euclidean 
algorithm, solve linear diophantine equations, use the Chinese remainder theorem, work 
with continued fractions, and generate prime certificates. 

Number Theory Commands in Mathematica 

The Mathematica commands relevant to material covered in this book are presented here 
according to the chapter in which that material is covered. (The command for loading 
these functions if they are part of add-on packages is also provided.) These commands 
are useful for checking computations in the text, for working or checking some of the 
exercises, and for the computations and explorations at the end of each section. Fur- 
thermore, it is possible to write programs in Mathematica for many of the explorations 
and programming projects listed at the end of each section. Consult Mathematica ref- 
erence materials, such as the Mathematica Book [Wo03], for information about writing 
programs in Mathematica. 

Chapter 1 

Fibonacci [n] gives the nth Fibonacci number /„. 

Quotient [m, n] gives the integer quotient when m is divided by n. 

Mod [m, n] gives the remainder when m is divided by n. 

The Collatz (3x + 1) problem has been implemented in Mathematica by Ilan Vardi. 
You can access this Mathematica package at http://library.wolfram.com/infocenter/ 
Demos/153/. 

Chapter 2 

IntegerDigits [n, b] gives a list of the base b digits of n. 

Chapter 3 

PrimeQ [n] produces output True if n is prime and False if n is not prime. 

Prime [n] gives the nth prime number. 

PrimePi Dc] gives the number of primes less than or equal to x. 

In [1] : =NumberTheory ‘ NumberTheoryFunctions ‘ 

NextPrime [n] gives the smallest prime larger than n. 

GCD [n h n 2 , . . . , n k ] gives the greatest common divisor of the integers n 1? n 2 , . . . , n k . 
ExtendedGCD [n, m] gives the extended greatest common divisor of the integers n 
and m. 

LCM [nj, n 2 , . . . , n k ] gives the least common multiple of the integers n h n 2 , . . . ,n k . 
Factor Integer [n] produces a list of the prime factors of n and their exponents. 
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Divisors [n] gives a list of the integers that divide n. 

IntegerExponent [n, b] gives the highest power of b that divides n. 

In [1] : =NumberTheory { NumberTheoryFunct ions ‘ 

SquareFreeQ [n] returns True if n contains a squared factor and False otherwise. 

In [1] : =NumberTheory f Fact orlnt egerECM { 

Fact or Int egerECM [n ] gives a factor of a composite integer n produced using Lenstra’s 
elliptic curve factorization method. 

Chapter 4 

Mod Ik, n] gives the least nonnegative residue of k modulo n. 

Mod Ik, n, 1] gives the least positive residue of k modulo n. 

Mod [k, n, —n/2] gives the absolute least residue of k modulo n. 

PowerMod [a, b, n] gives the value of a b mod n. Taking b = — 1 gives the inverse of a 
modulo n, if it exists. 

In [1] : =NumberTheory ‘ NumberTheoryFunctions ‘ 

ChineseRemainder [list h list{\ gives the smallest nonnegative integer r such that 
Mod [r, list{\ equals listy. (For example, ChineseRemainder [{r 1; r 2 }, {m 1 m 2 }] pro- 
duces the solution of the simultaneous congruence x = mod m x and x =r 2 mod m 2 .) 

Chapter 6 

EulerPhi [n] gives the value of the Euler phi function at n. 

Chapter 7 

DivisorSigma Ik, n] gives the value of the sum of the £th powers of divisors function 
at n. Taking k = 1 gives the sum of divisors function at n. Taking k = 0 gives the number 
of divisors of n. 

MoebiusMu [n] gives the value of £t(n). 

PartitionsP [n] gives p(n), the number of partitions of the positive integer n. 
IntegerPartitions [n] gives a list of all partitions of the integer n. 
IntegerPartitions [n, k ] gives a list of partitions of n into at most k integers. 

Chapter 8 

The RSA Public Key Cryptosystem has been implemented in Mathematica by Stephan 
Kaufmann. You can obtain the Mathematica package, instructions for how to use it, and 
a Mathematica notebook at http://library.wolfram.com/infocenter/MathSource/1966/. 

Chapter 9 

MultiplicativeOrder [ k , n] gives the order of k modulo n. 

PrimitiveRoot [n] gives a primitive root of n when n has a primitive root, and does 
not evaluate when it does not. 
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In[l] ^NumberTheory'PrimeQ' 

PrimeQCert if icate [n] produces a certificate verifying that n is prime or composite. 
CarmichaelLambda [n] gives the minimal universal exponent A(n). 

Chapter 11 

JacobiSymbol [n, m] gives the value of the Jacobi symbol (^-). 

SqrtMod[d, n] gives a square root of d modulo n for odd n. 

Chapter 12 

RealDigits [x] gives a list of the digits in the decimal expansion of x. 

RealDigits [x, b] gives a list of the digits in the base b expansion of x. 

The following functions dealing with decimal expansions are part of the Number 
Theory ‘ContinuedFract ions' package. Load this package using In[l] :=Number 
Theory ‘ Continued Fractions ‘ before using them. 

PeriodicForm [{a 0 , . . . , {a m , . . .}}, exp] presents a repeated decimal expansion in 
terms of a preperiodic and a periodic part. 

PeriodicForm [{a 0 , . . . , {a m , . . .}}, expr, b] represents a base b expansion. 

Normal [PeriodicForm [args] ] gives the rational number corresponding to a decimal 
expansion. 

The following functions dealing with continued fractions are part of the Number 
Theory 1 Continued Fractions 1 package. Load this package using In [1] : =Number 
Theory ‘ Continued Fractions ‘ before using them. 

ContinuedFraction[x, n] gives the first n terms of the continued fraction expansion 
of x. 

ContinuedFraction[x] gives the complete continued fraction expansion of a qua- 
dratic irrational number. 

FromContinued Fraction [list] finds a number from its continued fraction expan- 
sion. 

ContinuedFractionForm[{a 0 , a h . . .}] represents the continued fraction with partial 
quotients a 0 > a i ■ ■ ■ 

ContinuedFractionForm[{a 0 , a h , {p 0 , p h . . .}}] represents the continued frac- 
tion with partial quotients a 0 , ai . . . and additional quotients p\, p 2 , ... . 

Normal [ContinuedFractionFormCgnorienta] ] gives the rational or quadratic irra- 
tional number corresponding to the given continued fraction. 

Convergents [rat] gives the convergents for all terms of the continued fraction of a 
rational or quadratic irrational x. 

Convergents [ num , terms ] gives the convergents for the given number of terms of the 
continued fraction expansion of num. 

Convergents [c/] gives the convergents for the particular continued fraction cf re- 
turned from ContinuedFraction or ContinuedFractionForm. 
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QuadraticIrrationalQ [expr] tests whether expr is a quadratic irrational. 

Chapter 14 

Divisors [ n , Gaussianlntegers -> True] lists all Gaussian integer divisors of the 
Gaussian integer n. 

DivisorSigma[£, n, Gaussianlntegers -> True] gives the sum of the kth powers of 
the Gaussian integer divisors of the Gaussian integer n. 

Factorlnteger [ n , Gaussianlntegers -> True] produces a list of the Gaussian prime 
factors of the Gaussian integer n with positive real parts, and nonnegative imaginary 
parts, their exponents, and a unit. 

PrimeQ [ n , Gaussianlntegers -> True] returns the value of True if n is a Gaussian 
prime and False otherwise. 

Appendices 

Binomial [n, m] gives the values of the binomial coefficient (”). 




Number Theory Web Links 


In this appendix, we provide an annotated list of key number theory Web sites. These 
sites are excellent starting points for an exploration of number theory resources on the 
Web. At the time of publication of this book, these sites could be found at the URLs 
listed here. However, with the ephemeral nature of the Web, the addresses of these sites 
may change, they may cease to exist, or their content may change, and neither the author 
nor the publisher of this book is able to vouch for the contents of these sites. If you have 
trouble locating these sites, you may want to try using a search engine to see whether 
they can be found at a new URL. You will also want to consult the comprehensive guide 
to all the Web references for this book at http://www.awlonline.com/rosen. This guide 
will help you locate some of the more difficult-to-find sites relevant to number theory 
and to cryptography. 


The Fibonacci Numbers and the Golden Section (http://www.maths.surrey.ac.uk 
/hosted-sites/R.Knott/Fibonacci/) 

An amazing collection of information about the Fibonacci numbers, including their 
history, where they arise in nature, puzzles involving the Fibonacci numbers, and their 
mathematical properties can be found on this site. Additional material addresses the 
golden section. An extensive collection of links to other sites makes this an excellent 
place to start your exploration for information about Fibonacci numbers. 


The Prime Pages (http://www.utm.edu/research/primes/) 

This is the premier site for information about prime numbers. You can find a glossary, 
primers, articles, the Prime FAQ, current records, conjectures, extensive lists of primes 
and prime factorizations, as well as links to other sites, including those that provide 
useful software. This is a great site for exploring the world of primes! 


The Great Internet Prime Search (http://www.mersenne.org) 

Find the latest discoveries about Mersenne primes at this site. You can download software 
from this site to search for Mersenne primes, as well as primes of other special forms. 
Links to other sites related to searching for primes and factoring are provided. This is 
the site to visit to sign up for the communal search for a new prime of world-record size! 
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The MacTutor History of Mathematics Archives (http://www-groups.dcs.st-and.ac. 
uk/history/index.html) 

This is the main site to visit for biographies of mathematicians. Hundreds of important 
mathematicians from ancient to modem times are covered. You can also find essays on 
the history of important mathematical topics, including the prime numbers and Fermat’s 
last theorem. 

Frequently Asked Questions in Mathematics (http://www.cs.uwaterloo.ca/~alopez- 
o/math-faq/math-faq.html) 

This is a compilation of the frequently asked questions from the USENET newsgroup 
sc i .math. It contains several sections of questions relating to number theory, including 
primes and Fermat’s last theorem, as well as a potpourri of historical information and 
mathematical trivia. 

The Number Theory Web (http://www.numbertheory.org/ntw/web.html) 

This site provides an amazing collection to links to sites containing information relevant 
to number theory. You can find finks to sites providing software for number theory cal- 
culations, course notes, articles, online theses, historical and biographical information, 
conference information, job postings, and everything else on the Web related to number 
theory. 

RSA Labs-Cryptography FAQ (http://www.rsa.com/products/bsafe/documentation 
/crypto-c_me2 lhtml/RS A_Labs_FAQ_4. 1 .pdf/) 

This site provides an excellent overview of modem cryptography. You can find de- 
scriptions of cryptographic applications, cryptographic protocols, public and private key 
cryptosystems, and the mathematics behind them. 

The Mathematics of Fermat’s Last Theorem (http://cgd.best.vwh.net/home/flt/flt01 
.htm) 

This site provides an excellent introduction to Fermat’s last theorem. It provides discus- 
sions of each of the important topics involved in the proof of the theorem. 

NOVA Online-The Proof (http://www.pbs.org/wgbh/nova/proof) 

This site provides material relating to a television program on the proof of Fermat’s last 
theorem. Included are transcripts of the program and of an interview with Andrew Wiles, 
as well as finks to other sites on Fermat’s last theorem. 



Tables 


E 


Table E.l gives the least prime factor of each odd positive integer less than 10,000 and 
not divisible by 5. The initial digits of the integer are listed to the side, and the last digit 
is at the top of the column. Primes are indicated with a dash. The table is reprinted with 
permission from U. Dudley, Elementary Number Theory, Second Edition, Copyright © 
1969 and 1978 by W. H. Freeman and Company. All rights reserved. 

Table E.3 gives the least primitive root r modulo p for each prime p, p < 1000. 

Table E.4 is reprinted with permission from J. V. Uspensky and M. A. Heaslet, Elemen- 
tary Number Theory, McGraw-Hill Book Company. Copyright © 1939. 
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Table E.l Factor table. 
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Table E.l (continued) 





1 

3 

7 

9 


1 

3 

7 

9 


1 

3 

7 

9 


1 

3 

7 

9 

480 



3 

11 

3 

520 

7 

11 

41 

_ 

560 

3 

13 

3 

71 

600 

17 

3 

_ 

3 

481 

17 


— 

61 

521 

3 

13 

3 

17 

561 

31 

3 

41 

3 

601 

— 

7 

11 

13 

482 

3 

7 

3 

11 

522 

23 

3 

— 

3 

562 

7 

— 

17 

13 

602 

3 

19 

3 

— 

483 

— 

3 

7 

3 

523 

— 

— 

— 

13 

563 

3 

43 

3 

— 

603 

37 

3 

— 

3 

484 

47 

29 

37 

13 

524 

3 

7 

3 

29 

564 

— 

3 

— 

3 

604 

7 

— 

— 

23 

485 

3 

23 

3 

43 

525 

59 

3 

7 

3 

565 

— 

— 

— 

— 

605 

3 

— 

3 

73 

486 

— 

3 

31 

3 

526 

— 

19 

23 

11 

566 

3 

7 

3 

— 

606 

11 

3 

— 

3 

487 

— 

11 

— 

7 

527 

3 

— 

3 

— 

567 

53 

3 

7 

3 

607 

13 

— 

59 

— 

488 

3 

19 

3 

— 

528 

— 

3 

17 

3 

568 

13 

— 

11 

— 

608 

3 

7 

3 

— 

489 

67 

3 

59 

3 

529 

11 

67 

— 

7 

569 

3 

— 

3 

41 

609 

— 

3 

7 

3 

490 

13 

— 

7 

— 

530 

3 

— 

3 

— 

570 

— 

3 

13 

3 

610 

— 

17 

31 

41 

491 

3 

17 

3 

— 

531 

47 

3 

13 

3 

571 

— 

29 

— 

7 

611 

3 

— 

311 

29 

492 

7 

3 

13 

3 

532 

17 

— 

7 

73 

572 

3 

59 

3 

17 

612 

— 

3 

11 

3 

493 

— 

— 

— 

11 

533 

3 

— 

3 

19 

573 

11 

3 

— 

3 

613 

— 

— 

17 

7 

494 

3 

— 

3 

7 

534 

7 

3 

— 

3 

574 

— 

— 

7 

— 

614 

3 

— 

3 

11 

495 


3 

— 

3 

535 

— 

53 

11 

23 

575 

3 

11 

3 

13 

615 

— 

3 

47 

3 

496 

1 1 

7 

— 

— 

536 

3 

31 

3 

7 

576 

7 

3 

73 

3 

616 

61 

— 

7 

31 

497 

3 

— 

3 

13 

537 

41 

3 

19 

3 

577 

29 

23 

53 

— 

617 

3 

— 

3 

37 

498 

17 

3 

— 

3 

538 

— 

7 

— 

17 

578 

3 

— 

3 

7 

618 

7 

3 

23 

3 

499 

7 

— 

19 

— 

539 

3 

— 

3 

— 

579 

— 

3 

11 

3 

619 

41 

11 

— 

— 

500 

3 

— 

3 

— 

540 

11 

3 

— 

3 

580 

— 

7 

— 

37 

620 

3 

— 

3 

7 

501 

— 

3 

29 

3 

541 

7 

— 

— 

— 

581 

3 

— 

3 

11 

621 

— 

3 

— 

3 

502 

— 

— 

11 

47 

542 

3 

11 

3 

61 

582 

— 

3 

— 

3 

622 

— 

7 

13 

— 

503 

3 

7 

3 

— 

543 

— 

3 

— 

3 

583 

7 

19 

13 

— 

623 

3 

23 

3 

17 

504 

71 

3 

7 

3 

544 

— 

— 

13 

— 

584 

3 

— 

3 

— 

624 

79 

3 

— 

3 

505 

— 

31 

13 

— 

545 

3 

7 

3 

53 

585 

— 

3 

— 

3 

625 

7 

13 

— 

11 

506 

3 

61 

3 

37 

546 

43 

3 

7 

3 

586 

— 

11 

— 

— 

626 

3 

— 

3 

— 

507 

11 

3 

— 

3 

547 

— 

13 

— 

— 

587 

3 

7 

3 

— 

627 

— 

3 

— 

3 

508 

— 

13 

— 

7 

548 

3 

— 

3 

11 

588 

— 

3 

7 

3 

628 

11 

61 

— 

19 

509 

3 

11 

3 

— 

549 

17 

3 

23 

3 

589 

43 

71 

— 

17 

629 

3 

7 

3 

— 

510 

— 

3 

— 

3 

550 

— 

— 

— 

7 

590 

3 

— 

3 

19 

630 

— 

3 

7 

3 

511 

19 

— 

7 

— 

551 

3 

37 

3 

— 

591 

23 

3 

61 

3 

631 

— 

59 

— 

71 

512 

3 

47 

3 

23 

552 

— 

3 

— 

3 

592 

31 

— 

— 

7 

632 

3 

— 

3 

— 

513 

7 

3 

11 

3 

553 

— 

11 

7 

29 

593 

3 

17 

3 

— 

633 

13 

3 

— 

3 

514 

53 

37 

— 

19 

554 

3 

23 

3 

31 

594 

13 

3 

19 

3 

634 

17 

— 

11 

7 

515 

3 

— 

3 

7 

555 

7 

3 

— 

3 

595 

11 

— 

7 

59 

635 

3 

— 

3 

— 

516 

13 

3 

— 

3 

556 

67 

— 

19 

— 

596 

3 

67 

3 

47 

636 

— 

3 

— 

3 

517 

— 

7 

31 

— 

557 

3 

— 

3 

7 

597 

7 

3 

43 

3 

637 

23 

— 

7 

— 

518 

3 

71 

3 

— 

558 

— 

3 

37 

3 

598 

— 

31 

— 

53 

638 

3 

13 

3 

— 

519 

29 

3 

- 

3 

559 

- 

7 

29 

11 

599 

3 

13 

3 

7 

639 

7 

3 

- 

3 
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13 7 9 


13 7 9 


13 7 9 


13 7 9 


960 


3 

13 

3 

970 

89 

31 

18 

7 

961 

7 

— 

59 

— 

971 

3 

11 

3 


962 

3 

— 

3 

— 

972 


3 

71 

3 

963 

— 

3 

23 

3 

973 

37 

— 

7 


964 

31 


11 


974 

3 

— 

3 


965 

3 

7 

3 

13 

975 

7 

3 

11 

3 

966 

— 

3 

7 

3 

976 

43 

13 

— 

— 

967 

19 

17 

— 

— 

977 

3 

29 

3 

7 

968 

3 

23 

3 

— 

978 

— 

3 

— 

3 

969 

11 

3 

— 

3 

979 

— 

7 

97 

41 


980 

3 


3 

17 

990 


3 


3 

981 


3 


3 

991 

1 1 

23 

47 

7 

982 

7 

11 

31 


992 

3 


3 


983 

3 


3 


993 


3 

19 

3 

984 

13 

3 

43 

3 

994 


61 

7 


985 


59 



995 

3 

37 

3 

23 

986 

3 

7 

3 

71 

996 

7 

3 

— 

3 

987 

— 

3 

7 

3 

997 

13 

— 

11 

17 

988 

41 

— 

— 

11 

998 

3 

67 

3 

7 

989 

3 

13 

3 

19 

999 

97 

3 

13 

3 
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n 

) 

r(n) 

<T(/l) 

1 

2 

1 

1 

1 

2 

1 

3 

3 

2 

2 

4 

4 

2 

3 

7 

5 

4 

2 

6 

6 

2 

4 

12 

7 

6 

2 

8 

8 

4 

4 

15 

9 

6 

3 

13 

10 

4 

4 

18 

11 

10 

2 

12 

12 

4 

6 

28 

13 

12 

2 

14 

14 

6 

4 

24 

15 

8 

4 

24 

16 

8 

5 

31 

17 

16 

2 

18 

18 

6 

6 

39 

19 

18 

2 

20 

20 

8 

6 

42 

21 

12 

4 

32 

22 

10 

4 

36 

23 

22 

2 

24 

24 

8 

8 

60 

25 

20 

3 

31 

26 

12 

4 

42 

27 

18 

4 

40 

28 

12 

6 

56 

29 

28 

2 

30 

30 

8 

8 

72 

31 

30 

2 

32 

32 

16 

6 

63 

33 

20 

4 

48 

34 

16 

4 

54 

35 

24 

4 

48 

36 

12 

9 

91 

37 

36 

2 

38 

38 

18 

4 

60 

39 

24 

4 

56 

40 

16 

8 

90 

41 

40 

2 

42 

42 

12 

8 

96 

43 

42 

2 

44 

44 

20 

6 

84 

45 

24 

6 

78 

46 

22 

6 

72 

47 

46 

2 

48 

48 

16 

10 

124 

49 

42 

3 

57 

50 

20 

6 

93 


n 

<A(«) 

r(«) 

cr (n) 

51 

32 

4 

72 

52 

24 

6 

98 

53 

52 

2 

54 

54 

18 

8 

120 

55 

40 

4 

72 

56 

24 

8 

120 

57 

36 

4 

80 

58 

28 

4 

90 

59 

58 

2 

60 

60 

16 

12 

168 

61 

60 

2 

62 

62 

30 

4 

96 

63 

36 

6 

104 

64 

32 

7 

127 

65 

48 

4 

84 

66 

20 

8 

144 

67 

66 

2 

68 

68 

32 

6 

126 

69 

44 

4 

96 

70 

24 

8 

144 

71 

70 

2 

72 

72 

24 

12 

195 

73 

72 

2 

74 

74 

36 

4 

114 

75 

40 

6 

124 

76 

36 

6 

140 

77 

60 

4 

96 

78 

24 

8 

168 

79 

78 

2 

80 

80 

32 

10 

186 

81 

54 

5 

121 

82 

40 

4 

126 

83 

82 

2 

84 

84 

24 

12 

224 

85 

64 

4 

108 

86 

42 

4 

132 

87 

56 

4 

120 

88 

40 

8 

180 

89 

88 

2 

90 

90 

24 

12 

234 

91 

72 

4 

112 

92 

44 

6 

168 

93 

60 

4 

128 

94 

46 

4 

144 

95 

72 

4 

120 

96 

32 

12 

252 

97 

96 

2 

98 

98 

42 

6 

171 

99 

60 

6 

156 

100 

40 

9 

217 


Table E.2 Values of some arithmetic functions. 
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p 

r 

P 

r 

P 

r 

P 

r 

2 

i 

191 

19 

439 

15 

709 

2 

3 

2 

193 

5 

443 

2 

719 

11 

5 

2 

197 

2 

449 

3 

727 

5 

7 

3 

199 

3 

457 

13 

733 

6 

11 

2 

211 

2 

461 

2 

739 

3 

13 

2 

223 

3 

463 

3 

743 

5 

17 

3 

227 

2 

467 

2 

751 

3 

19 

2 

229 

6 

479 

13 

757 

2 

23 

5 

233 

3 

487 

3 

761 

6 

29 

2 

239 

7 

491 

2 

769 

11 

31 

3 

241 

7 

499 

7 

773 

2 

37 

2 

251 

6 

503 

5 

787 

2 

41 

6 

257 

3 

509 

2 

797 

2 

43 

3 

263 

5 

521 

3 

809 

3 

47 

5 

269 

2 

523 

2 

811 

3 

53 

2 

271 

6 

541 

2 

821 

2 

59 

2 

277 

5 

547 

2 

823 

3 

61 

2 

281 

3 

557 

2 

827 

2 

67 

2 

283 

3 

563 

2 

829 

2 

71 

7 

293 

2 

569 

3 

839 

11 

73 

5 

307 

5 

571 

3 

853 

2 

79 

3 

311 

17 

577 

5 

857 

3 

83 

2 

313 

10 

587 

2 

859 

2 

89 

3 

317 

2 

593 

3 

863 

5 

97 

5 

331 

3 

599 

7 

877 

2 

101 

2 

337 

10 

601 

7 

881 

3 

103 

5 

347 

2 

607 

3 

883 

2 

107 

2 

349 

2 

613 

2 

887 

5 

109 

6 

353 

3 

617 

3 

907 

2 

113 

3 

359 

7 

619 

2 

911 

17 

127 

3 

367 

6 

631 

3 

919 

7 

131 

2 

373 

2 

641 

3 

929 

3 

137 

3 

379 

2 

643 

11 

937 

5 

139 

2 

383 

5 

647 

5 

941 

2 

149 

2 

389 

2 

653 

2 

947 

2 

151 

6 

397 

5 

659 

2 

953 

3 

157 

5 

401 

3 

601 

2 

967 

5 

163 

2 

409 

21 

673 

5 

971 

6 

167 

5 

419 

2 

677 

2 

977 

3 

173 

2 

421 

2 

683 

5 

983 

5 

179 

2 

431 

7 

691 

3 

991 

6 

181 

2 

433 

5 

701 

2 

997 

7 


Table E.3 Primitive roots modulo primes. 




636 


Numbers 


p 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 


3 

2 

1 
















5 

4 

1 

3 

2 







Indices 






7 

6 

2 

1 

4 

5 

3 












11 

10 

1 

8 

2 

4 

9 

7 

3 

6 

5 








13 

12 

1 

4 

2 

9 

5 

11 

3 

8 

10 

7 

6 






17 

16 

14 

1 

12 

5 

15 

11 

10 

2 

3 

7 

13 

4 

9 

6 

8 


19 

18 

1 

13 

2 

16 

14 

6 

3 

8 

17 

12 

15 

5 

7 

11 

4 


23 

22 

2 

16 

4 

1 

18 

19 

6 

10 

3 

9 

20 

14 

21 

17 

8 


29 

28 

1 

5 

2 

22 

6 

12 

3 

10 

23 

25 

7 

18 

13 

27 

4 


31 

30 

24 

1 

18 

20 

25 

28 

12 

2 

14 

23 

19 

11 

22 

21 

0 


37 

36 

1 

26 

2 

23 

27 

32 

3 

16 

24 

30 

28 

11 

33 

13 

4 


41 

40 

26 

15 

12 

22 

1 

39 

38 

30 

8 

3 

27 

31 

25 

37 

24 


43 

42 

27 

1 

12 

25 

28 

35 

39 

2 

10 

30 

13 

32 

20 

26 

24 


47 

46 

18 

20 

36 

1 

38 

32 

8 

40 

19 

7 

10 

11 

4 

21 

26 


53 

52 

1 

17 

2 

47 

18 

14 

3 

34 

48 

6 

19 

24 

15 

12 

4 


59 

58 

1 

50 

2 

6 

51 

18 

3 

42 

7 

25 

52 

45 

19 

56 

4 


61 

60 

1 

6 

2 

22 

7 

49 

3 

12 

23 

15 

8 

40 

50 

28 

4 


67 

66 

1 

39 

2 

15 

40 

23 

3 

12 

16 

59 

41 

19 

24 

54 

4 


71 

70 

6 

26 

12 

28 

32 

1 

18 

52 

34 

31 

38 

39 

7 

54 

24 


73 

72 

8 

6 

16 

1 

14 

33 

24 

12 

9 

55 

22 

59 

41 

7 

32 


79 

78 

4 

1 

8 

62 

5 

53 

12 

2 

66 

68 

9 

34 

57 

63 

16 


83 

82 

1 

72 

2 

27 

73 

8 

3 

62 

28 

24 

74 

77 

9 

17 

4 


89 

88 

16 

1 

32 

70 

17 

81 

48 

2 

86 

84 

33 

23 

9 

71 

64 


97 

96 

34 

70 

68 

1 

8 

31 

6 

44 

35 

86 

42 

25 

65 

71 

40 



Numbers 

P 

17 

18 

19 

20 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 

19 

10 

9 
















23 

7 

12 

15 

5 

13 

11 








Indices 



29 

21 

11 

9 

24 

17 

26 

20 

8 

16 

19 

15 

14 






31 

7 

26 

4 

8 

29 

17 

27 

13 

10 

5 

3 

16 

9 

15 




37 

7 

17 

35 

25 

22 

31 

15 

29 

10 

12 

6 

34 

21 

14 

9 

5 

20 

41 

33 

16 

9 

34 

14 

29 

36 

13 

4 

17 

5 

11 

7 

23 

28 

10 

18 

43 

38 

29 

19 

37 

36 

15 

16 

40 

8 

17 

3 

5 

41 

11 

34 

9 

31 

47 

16 

12 

45 

37 

6 

25 

5 

28 

2 

29 

14 

22 

35 

39 

3 

44 

27 

53 

10 

35 

37 

49 

31 

7 

39 

20 

42 

25 

51 

16 

46 

13 

33 

5 

23 

59 

40 

43 

38 

8 

10 

26 

15 

53 

12 

46 

34 

20 

28 

57 

49 

5 

17 

61 

47 

13 

26 

24 

55 

16 

57 

9 

44 

41 

18 

51 

35 

29 

59 

5 

21 

67 

64 

13 

10 

17 

62 

60 

28 

42 

30 

20 

51 

25 

44 

55 

47 

5 

32 

71 

49 

58 

16 

40 

27 

37 

15 

44 

56 

45 

8 

13 

68 

60 

11 

30 

57 

73 

21 

20 

62 

17 

39 

63 

46 

30 

2 

67 

18 

49 

35 

15 

11 

40 

61 

79 

21 

6 

32 

70 

54 

72 

26 

13 

46 

38 

3 

61 

11 

67 

56 

20 

69 

83 

56 

63 

47 

29 

80 

25 

60 

75 

56 

78 

52 

10 

12 

18 

38 

5 

14 

89 

6 

18 

35 

14 

82 

12 

57 

49 

52 

39 

3 

25 

59 

87 

31 

80 

85 

97 

89 

78 

81 

69 

5 

24 

77 

76 

2 

59 

18 

3 

13 

9 

46 

74 

60 


Table E.4 Indices. 







Tables 


Numbers 


34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

44 

45 

46 

47 

48 

49 

8 

19 

18 














19 

21 

2 

32 

35 

6 

20 




Indices 





23 

18 

14 

7 

4 

33 

22 

6 

21 








34 

33 

30 

42 

17 

31 

9 

15 

24 

13 

43 

41 

23 




11 

9 

36 

30 

38 

41 

50 

45 

32 

22 

8 

29 

40 

44 

21 

23 

41 

24 

44 

55 

39 

37 

9 

14 

11 

33 

27 

48 

16 

23 

54 

36 

48 

11 

14 

39 

27 

46 

25 

54 

56 

43 

17 

34 

58 

20 

10 

38 

65 

38 

14 

22 

11 

58 

18 

53 

63 

9 

61 

27 

29 

50 

43 ■ 

46 

55 

29 

64 

20 

22 

65 

46 

25 

33 

48 

43 

10 

21 

9 

50 

2 

29 

34 

28 

64 

70 

65 

25 

4 

47 

51 

71 

13 

54 

31 

38 

66 

25 

37 

10 

19 

36 

35 

74 

75 

58 

49 

76 

64 

30 

59 

17 

28 

57 

35 

64 

20 

48 

67 

30 

40 

81 

71 

26 

7 

61 

23 

76 

16 

22 

63 

34 

11 

51 

24 

30 

21 

10 

29 

28 

72 

73 

54 

65 

74 

27 

32 

16 

91 

19 

95 

7 

85 

39 

4 

58 

45 

15 

84 

14 

62 

Numbers 

50 

51 

52 

53 

54 

55 

56 

57 

58 

59 

60 

61 

62 

63 

64 

65 

43 

27 

26 














13 

32 

47 

22 

35 

31 

21 

30 

29 



Indices 




45 

53 

42 

33 

19 

37 

52 

32 

36 

31 

30 






31 

37 

21 

57 

52 

8 

26 

49 

45 

36 

56 

7 

48 

35 

6 

34 

62 

5 

51 

23 

14 

59 

19 

42 

4 

3 

66 

69 

17 

53 

36 

67 

10 

27 

3 

53 

26 

56 

57 

68 

43 

5 

23 

58 

19 

45 

48 

60 

50 

22 

42 

77 

7 

52 

65 

33 

15 

31 

71 

45 

60 

55 

24 

18 

55 

46 

79 

59 

53 

51 

11 

37 

13 

34 

19 

66 

39 

70 

6 

22 

68 

7 

55 

78 

19 

66 

41 

36 

75 

43 

15 

69 

47 

83 

8 

5 

36 

63 

93 

10 

52 

87 

37 

55 

47 

67 

43 

64 

80 

75 

12 

26 

Numbers 

66 

67 

68 

69 

70 

71 

72 

73 

74 

75 

76 

77 

78 

79 

80 

81 

33 
















63 

47 

61 

41 

35 






Indices 





69 

50 

37 

52 

42 

44 

36 










73 

48 

29 

27 

41 

51 

14 

44 

23 

47 

40 

43 

39 




15 

45 

58 

50 

36 

33 

65 

69 

21 

44 

49 

32 

68 

43 

31 

42 

13 

56 

38 

58 

79 

62 

50 

20 

27 

53 

67 

77 

40 

42 

46 

4 

94 

57 

61 

51 

66 

11 

50 

28 

29 

72 

53 

21 

33 

30 

41 

88 

Numbers 


82 

83 

84 

85 

86 

87 

88 

89 

90 

91 

92 

93 

94 

95 

96 


41 
















37 

61 

26 

76 

45 

60 

44 





Indices 




23 

17 

73 

90 

38 

83 

92 

54 

79 

56 

49 

20 

22 

82 

48 



Table E.4 (continued) 



638 



Indices 


p 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 


3 

2 

1 
















5 

2 

4 

3 

1 














7 

3 

2 

6 

4 

5 

1 






Numbers 




11 

2 

4 

8 

5 

10 

9 

7 

3 

6 

1 








13 

2 

4 

8 

3 

6 

12 

11 

9 

5 

10 

7 

1 






17 

3 

9 

10 

13 

5 

15 

11 

16 

14 

8 

7 

4 

12 

2 

6 

1 


19 

2 

4 

8 

16 

13 

7 

14 

9 

18 

17 

15 

11 

3 

6 

12 

5 


23 

5 

2 

10 

4 

20 

8 

17 

16 

11 

9 

22 

18 

21 

13 

19 

3 


29 

2 

4 

8 

16 

3 

6 

12 

24 

19 

9 

18 

7 

14 

28 

27 

25 


31 

3 

9 

27 

19 

26 

16 

17 

20 

29 

25 

13 

8 

24 

10 

30 

28 


37 

2 

4 

8 

16 

32 

27 

17 

34 

31 

25 

13 

26 

15 

30 

23 

9 


41 

6 

36 

11 

25 

27 

39 

29 

10 

19 

32 

28 

4 

24 

21 

3 

18 


43 

3 

9 

27 

38 

28 

41 

37 

25 

32 

10 

30 

4 

12 

36 

22 

23 


47 

5 

25 

31 

14 

23 

21 

11 

8 

40 

12 

13 

18 

43 

27 

41 

17 


53 

2 

4 

8 

16 

32 

11 

22 

44 

35 

17 

34 

15 

30 

7 

14 

28 


59 

2 

4 

8 

16 

32 

5 

10 

20 

40 

21 

42 

25 

50 

41 

23 

46 


61 

2 

4 

8 

16 

32 

3 

6 

12 

24 

48 

35 

9 

18 

36 

11 

22 


67 

2 

4 

8 

16 

32 

64 

61 

55 

43 

19 

38 

9 

18 

36 

5 

10 


71 

7 

49 

59 

58 

51 

2 

14 

27 

47 

45 

31 

4 

28 

54 

23 

19 


73 

5 

25 

52 

41 

59 

3 

15 

2 

10 

50 

31 

9 

45 

6 

30 

4 


79 

3 

9 

27 

2 

6 

18 

54 

4 

12 

36 

29 

8 

24 

72 

58 

16 


83 

2 

4 

8 

16 

32 

64 

45 

7 

14 

28 

56 

29 

58 

33 

66 

49 


89 

3 

9 

27 

81 

65 

17 

51 

64 

14 

42 

37 

22 

66 

20 

60 

2 


97 

2 

25 

28 

43 

21 

8 

40 

6 

30 

53 

71 

64 

29 

48 

46 

36 



Indices 

P 

17 

18 

19 

20 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

32 

33 

19 

10 

1 
















23 

15 

6 

7 

12 

14 

1 







Numbers 



29 

21 

13 

26 

23 

17 

5 

10 

20 

11 

22 

15 

1 






31 

22 

4 

12 

5 

15 

14 

11 

2 

6 

18 

23 

7 

21 

1 




37 

18 

36 

35 

33 

29 

21 

5 

10 

20 

3 

6 

12 

24 

11 

22 

7 

14 

41 

26 

33 

34 

40 

35 

5 

30 

16 

14 

2 

12 

31 

22 

9 

13 

37 

17 

43 

26 

35 

19 

14 

42 

40 

34 

16 

5 

15 

2 

6 

18 

11 

33 

13 

39 

47 

38 

2 

10 

3 

15 

28 

46 

42 

22 

16 

33 

24 

26 

36 

39 

7 

35 

53 

3 

6 

12 

24 

48 

43 

33 

13 

26 

52 

51 

49 

45 

37 

21 

42 

31 

59 

33 

7 

14 

28 

56 

53 

47 

35 

11 

22 

44 

29 

58 

57 

55 

51 

43 

61 

44 

27 

54 

47 

33 

5 

10 

20 

40 

19 

38 

15 

30 

60 

59 

57 

53 

67 

20 

40 

13 

26 

52 

37 

7 

14 

28 

56 

45 

23 

46 

25 

50 

33 

66 

71 

62 

8 

56 

37 

46 

38 

53 

16 

41 

3 

21 

5 

35 

32 

11 

6 

42 

73 

20 

27 

62 

18 

17 

12 

60 

8 

40 

54 

51 

36 

34 

24 

47 

16 

7 

79 

48 

65 

37 

32 

17 

51 

74 

64 

34 

23 

69 

49 

68 

46 

59 

19 

57 

83 

15 

30 

60 

37 

74 

65 

47 

11 

22 

44 

5 

10 

20 

40 

80 

77 

71 

89 

6 

18 

54 

73 

41 

34 

13 

39 

28 

84 

74 

44 

43 

40 

31 

4 

12 

97 

83 

27 

38 

93 

77 

94 

82 

22 

13 

65 

34 

73 

74 

79 

7 

35 

78 


Table E.4 (continued) 





34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

44 

45 

46 

47 

48 

49 

28 

19 

1 














20 

38 

23 

15 

8 

7 

1 





Numbers 



31 

7 

21 

20 

17 

8 

24 

29 

1 








34 

29 

4 

20 

6 

30 

9 

45 

37 

44 

32 

19 

1 




9 

18 

36 

19 

38 

23 

46 

39 

25 

50 

47 

41 

29 

5 

10 

20 

27 

54 

49 

39 

19 

38 

17 

34 

9 

18 

36 

13 

26 

52 

45 

31 

45 

29 

58 

55 

49 

37 

13 

26 

52 

43 

25 

50 

39 

17 

34 

7 

65 

63 

59 

51 

35 

3 

6 

12 

24 

48 

29 

58 

49 

31 

62 

57 

10 

70 

64 

22 

12 

13 

20 

69 

57 

44 

24 

26 

40 

67 

43 

17 

35 

29 

72 

68 

48 

21 

32 

14 

70 

58 

71 

63 

23 

42 

64 

28 

13 

39 

38 

35 

26 

78 

76 

70 

52 

77 

73 

61 

25 

75 

67 

43 

59 

35 

70 

57 

31 

62 

41 

82 

81 

79 

75 

67 

51 

19 

38 

76 

36 

19 

57 

82 

68 

26 

78 

56 

79 

59 

88 

86 

80 

62 

8 

24 

2 

10 

50 

56 

86 

42 

16 

80 

12 

60 

9 

45 

31 

58 

96 

92 

Indices 

50 

51 

52 

53 

54 

55 

56 

57 

58 

59 

60 

61 

62 

63 

64 

65 

40 

27 

1 














3 

6 

12 

24 

48 

37 

15 

30 

1 




Numbers 


14 

28 

56 

51 

41 

21 

42 

23 

46 

31 

1 






47 

27 

54 

41 

15 

30 

60 

53 

39 

11 

22 

44 

21 

42 

17 

34 

48 

52 

9 

63 

15 

34 

25 

33 

18 

55 

30 

68 

50 

66 

36 

39 

67 

43 

69 

53 

46 

11 

55 

56 

61 

13 

65 

33 

19 

22 

37 

39 

50 

71 

55 

7 

21 

63 

31 

14 

42 

47 

62 

28 

5 

15 

45 

56 

69 

55 

27 

54 

25 

50 

17 

34 

68 

53 

23 

46 

9 

18 

36 

72 

72 

38 

25 

75 

47 

52 

67 

23 

69 

29 

87 

83 

71 

35 

16 

48 

72 

69 

54 

76 

89 

57 

91 

67 

44 

26 

33 

68 

49 

51 

61 

14 

Indices 

66 

67 

68 

69 

70 

71 

72 

73 

74 

75 

76 

77 

78 

79 

80 

81 


1 


60 

65 

29 

61 

1 












49 

26 

57 

66 

38 

44 

1 










10 

30 

11 

33 

20 

60 

22 

66 

40 

41 

44 

53 

1 




61 

39 

78 

73 

63 

43 

3 

6 

12 

24 

48 

13 

26 

52 

21 ■ 

42 

55 

76 

50 

61 

5 

15 

45 

46 

49 

58 

85 

77 

53 

70 

32 

7 

70 

59 

4 

20 

3 

15 

75 

84 

32 

63 

24 

23 

18 

90 

62 

19 

Indices 


82 

83 

84 

85 

86 

87 

88 

89 

90 

91 

92 

93 

94 

95 

96 


1 










Numbers 





21 

63 

11 

33 

10 

30 

1 










95 

87 

47 

41 

11 

55 

81 

17 

85 

37 

88 

52 

66 

39 

1 



Table E.4 (continued) 



640 Tables 


d 

yfd 

d 

sfd 

2 

[i;2] 

53 

[7 

3, 1, 1, 3, 14] 

3 

[l; l, 2] 

54 

[7 

2, 1, 6, 2, 14] 

5 

[2; 4] 

55 

[7 

2, 2, 2, 14] 

6 

[2; 2, 4] 

56 

[7 

2714] 

7 

[2; 1, 1, 1, 4] 

57 

[7 

1, 1, 4, 1, 1, 14] 

8 

[2;lT4] 

58 

[7 

1, 1, 1, 1, 1, 1, 14] 

10 

[3; 6] 

59 

[7 

1, 2, 7, 2, 1, 14] 

11 

[3; 3, 6] 

60 

[7 

1, 2, 1, 14] 

12 

[3; 2, 6] 

61 

[7 

1, 4, 3, 1, 2, 2, 1, 3, 4, 1, 14] 

13 

[3; 1, 1, 1, 1, 6] 

62 

[7 

1, 6, 1, 14] 

14 

[3; 1, 2, 1, 6] 

63 

[7 

1714] 

15 

[3; 176] 

65 

[8 

16] 

17 

[4; 8] 

66 

[8 

8, 16] 

18 

[4; 4, 8] 

67 

[8 

5, 2, 1, 1, 7, 1, 1, 2, 5, 16] 

19 

[4; 2, 1, 3, 1, 2, 8] 

68 

[8 

4716] 

20 

[4; 278] 

69 

[8 

3, 3, 1, 4, 1, 3, 3, 16] 

21 

[4; 1, 1, 2, 1, 1, 8] 

70 

[8 

2, 1, 2, 1, 2, 16] 

22 

[4; 1, 2, 4, 2, 1, 8] 

71 

[8 

2, 2, 1, 7, 1, 2, 2, 16] 

23 

[4; 1, 3, 1, 8] 

72 

[8 

2716] 

24 

[4; 178] 

73 

[8 

1, 1, 5, 5, 1, 1, 16] 

26 

[5; 10] 

74 

[8 

1, 1, 1, 1, 16] 

27 

[5; 5, 10] 

75 

[8 

1, 1, 1, 16] 

28 

[5; 3, 2, 3, 10] 

76 

[8 

1, 2, 1, 1, 5, 4, 5, 1, 1, 2, 1, 16] 

29 

[5; 2, 1, 1, 2, 10] 

77 

[8 

1, 3, 2, 3, 1, 16] 

30 

[5;2TT0] 

78 

[8 

1, 4, 1, 16] 

31 

[5; 1, 1, 3, 5, 3, 1, 1, 10] 

79 

[8 

1, 7, 1, 16] 

32 

[5; 1, 1, 1, 10] 

80 

[8 

1 16] 

33 

[5; 1, 2, 1, 10] 

82 

[9 

18] 

34 

[5; 1, 4, 1, 10] 

83 

[9 

9, 18] 

35 

[5;57TO] 

84 

[9 

6718] 

37 

[6; 12] 

85 

[9 

4, 1, 1, 4, 18] 

38 

[6; 6, 12] 

86 

[9 

3, \ \ \ 8, X \ \ 3, 18] 

39 

[6; 4712] 

87 

[9 

3, 18] 

40 

[6; 3712] 

88 

[9 

% X X 1, % 18] 

41 

[6; 2, 2, 12] 

89 

[9 

2, 3, 3, 2, 18] 

42 

[6; 2712] 

90 

[9 

2, 18] 

43 

[6; 1, 1, 3, 1, 5, 1, 3, 1, 1, 12] 

91 

[9 

1, 1, 5, 1, 5, 1, 1, 18] 

44 

[6; 1, 1, 1, 2, 1, 1, 1, 12] 

92 

[9 

1, 1, 2, 4, 2, 1, 1, 18] 

45 

[6; 1, 2, 2, 2, 1, 12] 

93 

[9 

1, 1, 1, 4, 6, 4, 1, 1, 1, 18] 

46 

[6; 1, 3, 1, 1, 2, 6, 2, 1, 1, 3, 1, 12] 

94 

[9 

1, 2, 3, 1, 1, 5, 1, 8, 1, 5, 1, 1, 3, 2, 1, 18] 

47 

[6; 1, 5, 1, 12] 

95 

[9 

1, 2, 1, 18] 

48 

[6; 1712] 

96 

[9 

X 3, 1, 18] 

50 

[7; 14] 

97 

[9 

1, 5, 1, 1, 1, 1, 1, 1, 5, 1, 18] 

51 

[7; 7, 14] 

98 

[9 

X 8, 1, 18] 

52 

[7; 4, 1, 2, 1, 4, 14] 

99 

[9 

U8] 


Table E.5 Simple continued fractions for square roots of positive integers. 




Answers to Odd-Numbered 
Exercises 


Section 1.1 

1 . a. well-ordered b. well-ordered c. not well-ordered d. well-ordered e. not well-ordered 

3 . Suppose that x and y are rational numbers. Then x = a/b and y = c/d, where a, b, c, and d 
are integers with b ^ 0 and d f^O. Then xy = ( a /b) ■ (c/d) = ac/bd and x + y = a/b + c/d = 
(ad + bc)/bd where bd ± 0. Because both x + y and xy are ratios of integers, they are both 
rational. 

5. Suppose that y/3 were rational. Then there would exist positive integers a and b with 
y/3 = a/b. Consequently, the set S = {ky / 3 | k and ky / 3 are positive integers} is nonempty 
because a = by/ 3 . Therefore, by the well-ordering property, S has a smallest element, say, 
s = ty/ 3. We have sy/ 3 — s = sy/ 3 — ty/ 3 = (s — t)y/ 3. Because sy/ 3 = 3 1 and s are both 
integers, sy/3 — s = (s — t)y/3 must also be an integer. Furthermore, it is positive, because 
sy/ 3 - s = s(y/ 3 - 1) and y/3 > 1. It is less than s because s = ty/ 3, sy/ 3 = 3 1, and y/3 < 3. This 
contradicts the choice of s as the smallest positive integer in S. It follows that y/3 is irrational. 

7. a. 0 b. — 1 c. 3 d. -2 e.0 f. -4 

9. a. {8/5} = 3/5 b. {1/7} = 1/7 c. {-11/4} = 1/4 d.{7} = 0 

11 . 0 if x is an integer; —1 otherwise 

13 . We have [x] < x and [y] < y. Adding these two inequalities gives [x] + [y] < x + y. Hence, 

[x + y]>[[x]+[y]] = [x] + [yl 

15 . Let x = a + r and y = b + s, where a and b are integers and r and s are real numbers such 
that 0 < r, s < 1. Then [xy] = [ ab + as + br + ,sr] = ab + [as + br + sr], whereas [x][y] = ab. 
Thus we have [xy] > [x][y] when x and y are both positive. If x and y are both negative, then 
[xy] < [x][y]. If one of x and y is positive and the other negative, then the inequality could go 
either direction. 

17 . Let x = [x] + r. Because 0<r<l,x + ^ = [x] + r + ^.lfr<^, then [x] is the integer nearest 
to x and [x + j] = [x] because [x] < x + j = [x] + r + \ < [x] + 1. If r > i, then [x] + 1 is 
the integer nearest to x (choosing this integer if x is midway between [x] and [x + 1]) and 
[x + |] = [x] + 1 because [x] + 1 < x + r + \ < [x] + 2. 

19 . Let x = k + c where k is an integer and 0 < e < 1. Further, let k = a 2 + b, where a is the largest 
integer such that a 2 < k. Then a 2 <k = a 2 + b <x = a 2 + b + c < (a + l) 2 . Then [y/x] = a and 
[VW] = [y/k] = a also, proving the theorem. 

21 . a. 8 « - 5 b. 2 " + 3 c. \[y/n )/ y/n\ d. a n = a n _i + a n _ 2 , for n> 3, and a x = 1, and a 2 = 3 

23 . a n = 2 n_1 ; a n = (n 2 - n + 2)/2; and a n = a n _ 1 + 2 a n _ 2 , for n > 3 

25 . This set is exactly the sequence a n = n— 100, and hence is countable. 

27 . The function f (a + by/ 2) = 2 a 3 b is a one-to-one map of this set into the rational numbers, which 
is countable. 
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29. Suppose {A,} is a countable collection of countable sets. Then each A, can be represented by a 
sequence, as follows: 


^1 

= a n 

a 12 

a l3 

A 2 

— a 2\ 

a 22 

a 23 

a 3 

= a 31 

a 32 

a 33 


Consider the listing a n , a 12 , a 2 \, a 33 , a 22 , a 3 i, . . . , in which we first list the elements with 
subscripts adding to 2, then the elements with subscripts adding to 3, and so on. Further, we order 
the elements with subscripts adding to k in order of the first subscript. Form a new sequence c t as 
follows. Let c 1 — a 1 . Given that c n is determined, let c n+l be the next element in the listing that is 
different from each c t with i — 1, 2, . . . , n. It follows that the terms of this sequence are exactly 

the elements of (^J A t , which is therefore countable. 

i=i 

31. a. a = 4, b = 7 b. a = 7, b = 10 c. a = 7, b = 69 d. a = 1, b = 20 

33. The number a must lie in some interval of the form r/k <a < (r + 1 )/k. If we divide this 
interval into equal halves, then a must lie in one of the halves, so either r/k < a < (2 r + l)/2 k 
or (2 r + l)/2 k <a < (r + 1 )/k. In the first case, we have |a — r/k\ < 1/2 k, so we take u = r. In 
the second case, we have \a — (r + \)/k\ < 1/2 k, so we take u —r + 1. 

35. First, we have \V2— 1/1| = 0.414 . . . < l/l 2 . Second, Exercise 30, part a, gives us |>/2 — 7/5| < 
1/50 < 1/5 2 . Third, observing that 3/7 = 0.428 . . . leads us to try | V2 - 10/7| = 0.014 . . . < 
1/7 2 = 0.0204 .... Fourth, observing that 5/12 = 0.4166 . . . leads us to try |>/2 — 17/12| = 
0.00245 . . . < 1/12 2 = 0.00694 .... 

37. We may assume that b and q are positive. Note that if q > b, we have \p/q — a /b\ — 

| pb — aq\/qb > \/qb > 1 /q 2 . Therefore, solutions to the inequality must have 1 <q<b. For a 
given q, there can be only finitely many p such that the distance between the rational numbers 
a/b and p/q is less than \/q 2 (indeed there is at most one.) Therefore, there are only finitely 
many p/q satisfying the inequality. 

39. a. 3, 6, 9, 12, 15, 18, 21, 24, 27, 30 b. 1, 3, 5, 6, 8, 10, 12, 13, 15, 17 c.2,4,7, 9, 11, 14, 16, 

18, 21, 23 d. 3, 6, 9, 12, 15, 18, 21, 25, 28, 31 

41. Assume that 1/a + 1//J = 1. First, show that the sequences ma and rift are disjoint. Then, for an 
integer k, define N ( k ) to be the number of elements of the sequences ma and n/J that are less than k. 
Then N ( k ) = [k/a] + [&//J]. By definition of the greatest integer function, k/a — 1 < [k/a] <k/a 
and k/fi — 1 < [k/ft] < k/ ft. Add these inequalities to deduce that k — 2 < N(k) < k. Hence 
N(k) — k — 1, and the conclusion follows. To prove the converse, note that if 1/a + 1//5 / 1, then 
the spectrum sequence can not partition the positive integers. 

43. Assume that there are only finitely many Ulam numbers. Let the two largest Ulam numbers be 
u n _\ and u n . Then the integer u n + u n _ l is an Ulam number larger than u n . It is the unique sum 
of two Ulam numbers because iq + uj <u n + u„_i if j < n or j — n and i < n — 1. 

45. To get a contradiction, suppose that the set of real numbers is countable. Then the subset of real 
numbers strictly between 0 and 1 is also countable. Then there is a one-to-one correspondence 
/ : Z + -> (0, 1). Each real number b e (0, 1) has a decimal representation of the form 
b = 0.b\b 2 b 2 . . . , where b t is the ith digit after the decimal point. For each k = 1, 2, 3, ... , 

let f{k) —a k G (0, 1). Then each a k has a decimal representation of the form a k = a kl a k2 a k2 

Form the real number c — c-)C 2 c 3 ... as follows: If a kk — 5, then let c k — 4. If a kk / 5, then let 
c k — 5. Then c ^a k for every k because it differs in the kth decimal place. Therefore f(k) / c 
for all k, and so / is not a one-to-one correspondence. 
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Section 1.2 

1. a. 55 b. —15 c. 29/20 

3. a. 510 b. 24,600 c. -255/256 

5. The sum £* =1 [V£] counts 1 for every value of k with \/T > 1. There are n such values of 
k in the range k = 1, 2, 3, . . . , n. It counts another 1 for every value of k with vT > 2. 
There are n — 3 such values in the range. The sum counts another 1 for each value of k with 
Vk > 3. There are n — 8 such values in the range. In general, for m = 1, 2, 3, ... , [\fn\ 
the sum counts a 1 for each value of k with *Jk > m, and there are n — (m 2 — 1) values 
in the range. Therefore, Y^ =l [Vk] = E^i n - (m 2 - 1) = [Vn](n + 1) - Ejjjfi "* 2 = 

+ 1) - ([V^](tV^] + miM + l))/6. 

7. The total number of dots in the n by n + 1 rectangle, namely, n(n + 1), is 2t n because the rectangle 
is made from two triangular arrays. Dividing both sides by 2 gives the desired formula. 

9. From the closed formula for the nth triangular number, we have t 2 +l — f 2 = (( n + l)(n + 

1 + l)/2) 2 - (n(n + l)/2) 2 = (n + l) 2 ((n + 2) 2 /4 - n 2 /4) = (n + l) 2 (n 2 + 4n + 4 - n 2 )/4 = 
(n + l) 2 (4n + 4)/4 = (n + l) 3 , as desired. 

11. From Exercise 10, we have p„ — ( 3n 2 - n)/2. On the other hand, t n _ 1 + n 2 — (n- l)n/2 + n 2 — 
(3 n 2 — n)/2, which is the same as above. 

13. a. Consider a regular heptagon that we border successively by heptagons with 3, 4, 5, . . . on 
each side. Define the heptagonal numbers s k to be the number of dots contained in the k nested 
heptagons, b. (5k 2 - 3k)/ 2 

15. From Exercise 10, we have p n = (3 n 2 - n)/2. Also, t 3n _ { /3 = (l/3)(3n - l)(3n)/2 = (3n - 
l)(n)/2 = On 2 -n)/2 = p n . 

17. By Exercise 16, we have T n = E*=i l k = E*=i k(k + l)/2. Note that (k + l) 3 — k 3 = 3 k 2 + 3 k + 
1 = 3(^ 2 + k) + 1 so that k 2 + k = (0 k + l) 3 - k 3 )/ 3 - (1/3). Then T„ = (1/2) ELi k(k + D = 
(1/6) Ek=i(( k + l) 3 — ^ 3 ) — (1/6) Ek=i 1- Th e first sum is telescoping and the second sum is 
trivial, so we have T n = (1/6) ((n + l) 3 - l 3 ) - (n/6) = (n 3 + 3n 2 + 2n)/6. 

19. Each of these four quantities are products of 100 integers. The largest product is 100 100 , because 
it is the product of 100 factors of 100. The second largest is 100!, which is the product of the 
integers 1, 2, ... , 100, and each of these terms is less or equal to 100. The third largest is (50!) 2 , 
which is the product of l 2 , 2 2 , . . . , 50 2 , and each of these factors j 2 is less than j (50 + j), whose 
product is 100!. The smallest is 2 100 , which is the product of 100 twos. 

21. ELi (icFR)) = ELi (i - it+r)- Let a J = 1/0' + !)• Notice t 1131 this is a telescop- 
ing sum, as in Example 1.19. Therefore, we have E k =i (itcFF!)) = E"=i( a ;'-i — a j) — 

a o - a n = 1 - l/(” + 1) = «/(« + !)• 

23. We sum both sides of the identity (k + l) 3 -k 3 — 3k 2 + 3k + l from k — 1 to k — n. El=i^ k + 
l) 3 - k 3 ) — (n + l) 3 - 1, because the sum is telescoping. E*= i(3& 2 + 3k + 1) = 3(EEi ^ 2 ) + 
3(EEi *) + ELi 1 = 3(ELi ^ 2 ) + 3n(/i + l)/2 + n. As these two expressions are equal, 
solving for E*=i we fi n ^ ^ at EEl ^ ~ (n(2n + l)(n + l))/6. 

25. a. 10! = (7!)(8 • 9 • 10) = (70(720) = (7!)(6!). b. 10! = (7!)(6!) = (70(50 • 6 = (70(50(30- 
c. 16! = (140(15 • 16) = (14 !)(240) = (14!) (5!) (2!). d. 9! = (70(8 • 9) = (70(6 • 6 • 2) = 
(70(30(3!)(2!) 

27. x = y = 1 and z = 2 
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Section 1.3 


1. For n = 1, we have 1 < 2 1 = 2. Now assume n < 2". Then n + l<2" + l<2" + 2" = 2 n+1 . 

3. For the basis step, ^ =1 ^ — \ <2 — \ — \. For the inductive step, we assume that J2k=i ~j? — 
2 - 1. Then pr = £2 =1 pr + < 2 - ± by the induction hypothesis. This 

is less than2-^+^ = 2- ^(l-^)<2-^,as desired. 


. A" = ^ ^ . The basis step is trivial. For the inductive step, assume that A" = ^ ^ . 

;)(: o-(i "')• 


7. For the basis step, we have Yl)=i J 2 = 1 = 1(1 + 1)(2 • 1 + l)/6. For the inductive step, 
we assume that H” =1 j 2 = n(« + l)(2n + l)/6. Then X!"=l 7 2 = i 7 -2 + ( n + l) 2 = 
n(n + l)(2n + l)/6 + (n + l) 2 = (n + 1) (n(2n + l)/6 + n + 1) = (n + l)(2n 2 + In + 6)/6 = 
(n + l)(n + 2)[2(n + 1) + l]/6. 

9. For the basis step, we have X^-=i 70 + 1) = 2 = l(2)(3)/3. Assiune it is true for n. Then 

7 (j + 1) — n ( n + l)( n + 2)/3 + (n + l)(n + 2) = (n + l)(n + 2)(n/3 + 1) = (n + l)(n + 
2) (n + 3)/3. 


11 . 2”^” +1 ^ 2 


13. For the basis step, we note that 12 = 4-3. For the inductive step, assume that postage of n 
cents can be formed, with n —4a + 5b, where a and b are nonnegative integers. To form 
n + 1 cents postage, if a > 0 we can replace a 4-cent stamp with a 5-cent stamp; that is, 
n + 1 = 4 (a — 1) + 5 (b + 1). If no 4-cent stamps are present, then all 5-cent stamps were used. It 
follows that there must be at least three 5-cent stamps and these can be replaced by four 4-cent 
stamps; that is, n + 1 = 4(a + 4) + 5 (b — 3). 

15. We use mathematical induction. The inequality is true for n — 0 because H 2 o — H x — 1 > 1 = 

1 + 0/2. Now assume that the inequality is true for n, that is, H 2 n > 1 + n/2. Then H 2 n+ 1 = 
Ef= 1 1/7 + Ef= 2 »+ 1 1/7 > H 2 n + Ef= 2 - +1 1/ 2 " +1 > 1 ' + n/2 + 2" • 1/2”+! = 1 + n/2 + 1/2 = 
1 + (n + l)/2. 

17. For the basis step, we have (2 • 1)! = 2 < 2 2 ' 1 (1!) 2 = 4. For the inductive step, we assume 
that (2n)! < 2 2n (n!) 2 . Then [2(n + 1)]! = (2n)!(2n + l)(2n + 2) < 2 2n (n!) 2 (2n + l)(2n + 2) < 
2 2 " (n!) 2 (2n + 2) 2 = 2 2(n+1 >[(n + l)!] 2 . 

19. Let A be such a set. Define B as B — [x — k + \ \ x e A and x > ^}. Because x > k, B is a 
set of positive integers. Because k e A and k>k, k — £+1 = 1 is in B. Because n + 1 is in A 
whenever n is, n + 1 — k + 1 is in B whenever n — k + 1 is. Thus, B satisfies the hypothesis for 
mathematical induction, i.e., B is the set of positive integers. Mapping B back to A in the natural 
manner, we find that A contains the set of integers greater than or equal to k. 

21. For the basis step, we have 4 2 = 16<24 = 4!. For the inductive step, we assume that n 2 < n !. 
Then (n + l) 2 = n 2 + 2n + 1 < n\ + 2n + 1 < n! + 3n < n! + n\ = 2n! < (n + l)n! = (n + 1)!. 

23. We use the second principle of mathematical induction. For the basis step, if the puzzle has only 
one piece, then it is assembled with exactly 0 moves. For the induction step, assume that all puzzles 
with k < n pieces require k — 1 moves to assemble. Suppose it takes m moves to assemble a puzzle 
with n + 1 pieces. Then the m move consists of joining two blocks of size a and b, respectively, 
with a + b = n + 1. But by the induction hypothesis, it requires exactly a — l and b — 1 moves to 
assemble each of these blocks. Thus, m = (a — l) + (b — l) + l = a + b+l = n + l. 
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25. Suppose that f(n ) is defined recursively by specifying the value of /( 1) and a rule for finding 
f(n + 1) from f(n). We will prove by mathematical induction that such a function is well-defined. 
First, note that /( 1) is well-defined because this value is explicitly stated. Now assume that /(n) 
is well-defined. Then f(n + 1) also is well-defined because a rule is given for determining this 
value from f(ri). 

27. 65,536 

29. We use the second principle of mathematical induction. The basis step consists of verifying the 
formula for n = 1 and n = 2. For n = 1, we have /(l) = 1 = 2 1 + (— 1) \ and for n — 2, we have 
/( 2) = 5 = 2 2 + (-1) 2 . Now assume that f(k) — 2 k + (-1)* for all positive integers k with 
k < n where n > 2. By the induction hypothesis, it follows that f(n) = f(n — 1) + 2 f(n — 2) = 
(2" _1 + (-1)"- 1 ) + 2(2" _2 + (-1)"- 2 ) = (2" _1 + 2"- 1 ) + (-l)«- 2 (-l + 2) = 2" + (-1)". 

31. We use the second principle of mathematical induction. We see that a 0 — 1 < 3° = 1, a x — 3 < 3' = 
3, and a 2 = 9 < 3 2 = 9. These are the basis cases. Now assume that a k < 3 k for all integers k with 
0 < k < n. It follows that a n — a n _ x + a n _ 2 + a n _ 3 < 3" _1 + 3" -2 + 3" -3 = 3" _3 (1 + 3 + 9) = 
13 • 3" -3 < 27 • 3" -3 = 3". 

33. Let P n be the statement for n. Then P 2 is true, because we have ((aj + a 2 )/2 ) 2 — a x a 2 — 
((aj — a 2 )/ 2) 2 > 0. Assume P n is true. Then by P 2 , for 2 n positive real numbers a h , a 2n we 

have ai + • • • + a 2n > 2( N /a 1 a 2 + y/aj/a 4 -I 1- ^Ja 2 n -\a 2n ). Apply P n to this last expression to 

geta! -I 1- a 2n > 2n(a l a 2 ■ ■ ■ a 2n ) 1/2n , which establishes P n for n = 2 k for all k. Again, assume 

P n is true. Let g — (a x a 2 • • • Applying P n , we have + a 2 + • • • + a„_j + g > 

n(a x a 2 ■ ■ ■ a„_ig) 1/n = n(g n ~ l g) l l n = ng. Therefore, a x + a 2 + ■ ■ ■ + a„_j > (n — 1 )g, which 
establishes P n ~\- Thus P 2 k is true and P n implies P n -\. This establishes P n for all n. 

35. Note that because 0 < p < q we have 0 < p/q < 1. The proposition is trivially true if p = 1. We 
proceed by strong induction on p. Let p and q be given and assume the proposition is true for all 
rational numbers between 0 and 1 with numerators less than p. To apply the algorithm, we find 
the unit fraction \/s such that 1/^ — 1 )> p/q > l/s. When we subtract, the remaining fraction is 
p/q — \/s — ( ps — q)/qs. On the other hand, if we multiply the first inequality by q(s — 1), we 
have q > p(s — 1), which leads to p > ps — q, which shows that the numerator of p/q is strictly 
greater than the numerator of the remainder (ps — q)/qs after one step of the algorithm. By the 

induction hypothesis, this remainder is expressible as a sum of unit fractions, 1 /m x H 1- 1 /m*. 

Therefore, p/q — l/s + 1/m j -| 1- \/u k , which completes the induction step. 

Section 1.4 

1. a. 55 b. 233 c.610 d. 2584 e. 6765 f. 75025 

3. Note that 2 f n+2 - f n = f n+2 + ( f n+2 - /„) = f n+2 + f „+ 1 = f„+ 3 ■ Add /„ to both sides. 

5. For n = 1, we have f 2 . 1 = 1 = l 2 + 2 • 1 • 0 = / 2 + 2/ 0 /i, and for n = 2, we have f 2 . 2 = 3 = 
l 2 + 2 • 1 • 1 — / 2 2 + 2/2/2- So the basis step holds for strong induction. Assume, then, that f 2n _ 4 = 
fn - 2 + 2 /»-3/„-2 and f 2n _ 2 = / 2 _ 1 + 2/„_ 2 / n _ 1 . Now compute f 2n = f 2n _ j + f 2n _ 2 = 

2 f 2 n — 2 + /2/1-3 = 3/ 2n _2 — fm- 4 - W e ma y now substitute in our induction hypotheses to set this 
last expression equal to 3 / 2 _j + 6 f n - 2 f n -\ - /„ 2 _ 2 - 2 /„_ 3 /„- 2 = 3/ 2 _j + 6 (/„ - /„_i)/„_i - 

(/„ - fn- 1) 2 - 2(/„_! - f n - 2 )(fn ~ fn- 1) = ~2 f^l + 6 fnfn - 1 ~ ft + 2 /„(/„ - /„_!> - 
2/ n -i(/n - fn-i) — ft + 2/„_i/„, which completes the induction step. 

7. Yfj = i /27-1 = fin- Th e basis step is trivial. Assume that our formula is true for n, and consider 
fi + h + h + • • • + fin—i + fin+i = fiM + fi/ 1+1 = f 2 n+ 2 ’ which is the induction step. 

9. First suppose n = 2k is even. Then /„ - /„_! H + (-l)" +1 /i = ( fik + fik-i H F /1) - 

2(/2 *_i + fik — 3 H h /1) = (/ 2 *+2 - 1) - 2(f 2k ) by the formulas in Example 1.27 and 
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Exercise 7. This last equals (f 2k+2 - hk) ~ hk ~ 1 = hk+i ~ f 2k ~ 1 = f2k-i ~ 1 = fn- 1 - 1- 

Now suppose n = 2k + 1 is odd. Then /„ - /„_! H 1- (-1)" +1 = f 2k+ 1 - (Afc ~ /at-i + 

(— l)" +1 /i) = f 2 k+i ~ (hk-i ~ 1) by the formula just proved for the even case. This last 

equals (hk+i — hk-\) + 1 = f 2 k + 1 = fn- 1 + 1- We can unite the formulas for the odd and even 
cases by writing the formula as f„-i — (—1)". 

11 . From Exercise 5, we have = fj + 2f n -\f n = fnifn + fn- 1 + fn- 1) = (fn+i ~ fn-i)(fn+i + 

fn—\) = fn+1 f'n—Y 

13 . We use mathematical induction. For the basis step, fj — fj — fih ■ To make the inductive 

step, we assume that fj = f n f n+l . Then Djl J fj = E"=i fj + /„+ 1 = fnfn+i + fj+ 1 = 

/n+l/n+2- 

15 . From Exercise 13, we have f n+ \f n - f n -\f n -2 = (fj + • ■ • + fj) - (fj + ■ ■ ■ fj_ 2 ) = 
fj + fj_ y The identity in Exercise 10 shows that this is equal to / 2 „-i when n is a positive 
integer, and in particular when n is greater than 2. 

17. For fixed m, we proceed by induction on n. The basis step is / m+1 = f m h + fm-ifi = fm’ 1 + 
f m - i-l, which is true. Assume the identity holds for 1, 2, . . . , k. Then f m+k = f m f k + 1 + f m -\fk 
and f m+k _ i = f m f k + / m iA i- Adding these equations gives us f m+k + f m+k _ x = f m (f k+ i + 
fk ) + fm-ffk + fk- 1)- Applying the recursive definition yields f m+k+ i = f m fk+2 + fm-ifk+l- 
19. Yjl=i Li — L n+ 2 — 3. We use mathematical induction. The basis step is L i — 1 = L 3 — 3. Assume 
that the formula holds for n and compute L t + L n+l = L n+2 — 3 + L n+1 = 

( L n+ 2 + L n+l) - 3 = L n+3 ~ 3 - 

21 . L 2i = L 2 „ + i — 1. We use mathematical induction. The basis step is L 2 = 3 = L 3 — 1. 
Assume that the formula holds for n and compute Yjl=l L 2i = 5Z” =1 L 2i + L 2n+2 = L 2n +\~ 

1 + L 2n+2 = L 2 „ +3 — 1. 

23 . We proceed by induction. The basis step is L\ = 1 = L\L 2 — 2. Assume the formula holds for 
n and consider L] = £-=l h] + L 2 +1 = L„L„ +1 - 2 + L 2 +1 = L„ +1 (L„ + L„ +1 ) -2 = 
L n +lLn+2 — 2- 

25. For the basis step, we check that L k f k =1-1=1 = / 2 and L 2 f 2 = 3 • 1 = 3 = / 4 . Assume the 
identity is true for all positive integers up to n. Then we have /„ +1 L„ +1 = (f n+2 — /„)(/„+ 2 — /„) 
from Exercise 16. This equals fj +2 - fj = (/„+ 1 + f n ) 2 - (/„_ i + /„_ 2 ) 2 = / 2 +1 + 2/„ + i/„ + 

fn ~ fn—l ~ Vn-lfn-2 ~ fj. 2 = ( fj +1 ~ fj- 1 ) + ( fj ~ fj- 2 ) + 2(/„ +1 /„ - /„-i/„- 2 ) = 
(/»+i - /«— i)(/«+i + /»-i) + ( fn - fn-2)(fn + fn- 2 ) + 2(/ 2 „_i), where the last parenthetical 
expression is obtained from Exercise 8. This equals f„L„ + /„_ 1 L„_ 1 + 2/ 2 „_ 1 . Applying 
the induction hypothesis yields f 2n + f^-i + 2f 2n _ x = (f 2n + /^-i) + (f 2n -i + hn- 2 ) = 
hn+i + hn — hn+2’ which completes the induction. 

27 . We prove this by induction on n. Fix m a positive integer. If n = 2, then for the basis step we 
need to show that L m+2 = f m+ \L 2 + f m Ly = 3/ m+1 + f m , for which we will use induction on 

m. For m — 1 we have L 3 — 4 — 3 • f 2 + f\, and for m — 2 we have L 4 — 1 — 3 • / 3 + / 2 , so the 
basis step for m holds. Now assume that the basis step for n holds for all values of m less than and 
equal to m. Then L m+3 = L m+2 + L m+l = 3 f m+i + f m + 3 f m + f m _i = 3/ m+2 + f m+h which 
completes the induction step on m and proves the basis step for n. To prove the induction step on 

n, we compute L m+n+1 = L m+n + + (fm+iL^ + f m L n _ 2 ) = 

frn+ \(L n + L n _ 1) + + L n - 2 ) = f m+ \L n+ i + f m L n , which completes the induction on 

n and proves the identity. 

29 . 50 = 34+ 13 + 3 = /9 + / 7 + / 4 ,85 = 55 + 21 + 8+1=/io + /8 + / 6 +/ 2.110 = 89 + 21 = 
/11 + h an d 200 = 144 + 55 + 1 = / 12 + / 10 + f 2 . 
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31. We proceed by mathematical induction. The basis steps (n — 2 and 3) are easily seen to hold. 
For the inductive step, we assume that /„ < a” -1 and f n _\ < a„_ 2 . Now /„ +1 = f„ + /„_ i < 
a” -1 + a” -2 = a", because a satisfies a n — a" -1 + a” -2 . 

33. We use Theorem 1.3. Note that a 2 — a + 1 and /J 2 = y 8 + 1, because they are roots of 
jt 2 - x - 1 = 0. Then we have f 2n = ( a 2n - y8 2 ")/V 5 = (1/V5)((c* + 1)” - (y8 + 1)") = 
(1/V5) (l^o (>' - Z.U (") /») = (1/V5) T.U (])<“' - V) = (pi because 
the first term is zero in the second-to-last sum. 

35. On one hand, det(F n ) = det(F) n = (-1)”. On the other hand, 

*{ r ? 

37. /o = 0, f—i = 1, f—2 = -1, /— 3 = 2, /_4 = -3, /_ 5 = 5, /_ 6 = -8, /_ 7 = 13, /_ 8 = -21, 

/- 9 = 34, /_ 10 = —55 

39. The square has area 64 square units, while the rectangle has area 65 square units. This corresponds 
to the identity in Exercise 14, which tells us that f 2 fs — / 6 2 = 1. Notice that the slope of the 
hypotenuse of the triangular piece is 3/8, while the slope of the top of the trapezoidal piece is 
2/5. We have 2/5 — 3/8 = 1/40. Thus, the “diagonal" of the rectangle is really a very skinny 
parallelogram of area 1, hidden visually by the fact that the two slopes are nearly equal. 

41. We solve the equation r 2 — r — 1 = 0 to discover the roots r l — (1 + V5)/2 and r 2 = (1 — V5)/2. 
Then, according to the theory in the paragraph above, /„ = Cp-” + C 2 r 2 . For n = 0, we have 0 = 
Cpf + C 2 r\ = Ci + C 2 . For n = 1, we have 1 = C x r x + C 2 r 2 = Cj( 1 + V5)/2 + C 2 ( 1 - VS)/2. 
Solving these two equations simultaneously yields C 1 — 1/V5 and C 2 = — 1/V5. So the explicit 
formula is /„ = (l/>/5 )r" - (1/V^5)r" = (/-” - r 2 )/V 5. 

43. We seek to solve the recurrence relation L n — L n _ 1 + subject to the initial conditions 
L l = 1 and L 2 = 3. We solve the equation r 2 — r — 1 = 0 to discover the roots a = (1 + \/5)/2 
and /J = (1 — V5)/2. Then, according to the theory in the paragraph above Exercise 41, L n — 
Cja" + C 2 /3 n . For n = 1, we have L l = 1 = Cj a + C 2 y8. For n = 2, we have 3 = Cjot 2 + C 2 /} 2 . 
Solving these two equations simultaneously yields C 1 = 1 and C 2 = 1. So the explicit formula is 
L n = of” + 

45. First check that a 2 = a + 1 and /5 2 = y8 + 1. We proceed by induction. The basis steps are 

(1/V5)(a - P) = (1/V5)(V5) = 1= /i and (1/V5)(c* 2 - yS 2 ) = (1/V5)((1 + a) - (1 + 0)) = 

(1/a/ 5) (a — 0) = 1 = / 2 . Assume the identity is true for all positive integers up to n. Then / n+1 = 
fn + fn—i = (1/V5)(a" - n + (1/-n/5)(o!" _ 1 - yS"- 1 ) = (l/VIjCa"- 1 ^ + 1) - )8 ,, - 1 (y8 + 

1)) = (l/\/5)(a” _1 (a 2 ) - y8" _1 (yS 2 )) = (l/'v/5)(a” +1 - y8" +1 ), which completes the induction. 

Section 1.5 

1. 3 I 99 because 99 = 3 • 33, 5 | 145 because 145 = 5- 29, 7 | 343 because 343 = 7 • 49, and 888 | 0 
because 0 = 888 • 0 

3. a. yes b. yes c. no d. no e. no f. no 

5. a. q — 5, r — 15 b. q — 17, r — 0 c. q — -3, r — 1 d. q — -6, r — 2 
7. a. 1 and 13 b. 1, 3, 7, and 21 c. 1, 2, 3, 4, 6, 9, 12, 18, and 36 d. 1, 2, 4, 1 1, 22, and 44 
9. a. (11, 22) = 11 b. (36, 42) = 6 c. (21, 22) = 1 d. (16, 64) = 16 
11. Each of 1, 2, 3, ... , 10 is relatively prime to 1 1. 



Answers to Odd-Numbered Exercises 


13. (10, 11), (10, 13), (10, 17), (10, 19), (11, 12), (11, 13), . . . , (11, 20), (12, 13), (12, 17), 
(12, 19), (13, 14), (13, 15), . . . , (13, 20), (14, 15), (14, 17), (14, 19), (15, 16), (15, 17), 
(15, 19), (16, 17), (16, 19), (17, 18), (17, 19), (17, 20), (18, 19) and (19, 20) 

15. By hypothesis, b = ra and d = sc, for some r and s. Thus, bd = rs(ac) and ac \ bd. 

17. If a | b, then b = na and be = n(ca), i.e., ac \ be. Now suppose ac \ be. Thus, be = nac and, as 

c ^ 0, b = na, i.e., a \ b. 

19. By definition, a \ b if and only if b = na for some integer n. Then raising both sides of this 
equation to the *th power yields b k = n k a k whence a k \b k . 

21. Let a and b be odd, and c even. Then ab = (2x + l)(2y + 1) = 4xy + 2x + 2y + 1 = 2(2xy + 
x + y) + 1, so ab is odd. On the other hand, for any integer n, we have cn = (2 z)n = 2(zn), which 
is even. 

23. By the division algorithm, a = bq + r, withO <r <b. Thus —a = —bq — r = —(q + 1 )b + b — r. 
If 0 <b - r <b, then we are done. Otherwise, b — r = b, orr=0 and —a = —qb + 0. 

25. a. The division algorithm covers the case when b is positive. If b is negative, then we may apply 
the division algorithm to a and \b\ to get a quotient q and remainder r such that a = q \b\ + r and 
0 < r < \b\. But because b is negative, we have a = q(—b ) + r = ( —q)b + r, as desired, b. 3 

27. By the division algorithm, let m =qn + r, with 0 < r < n — 1 and q = [m/n]. Then 

[(to + l)/n] = [(qn + r + 1 )/n\ = [q + (r + 1 )/n] = q + [(r + l)/n], as in Example 1.31. 

If f — 0, 1, 2, . . . , n — 2, then to ^ kn — 1 for any integer k and 1/n < (r + l)/n < 1 and so 
[(r + l)/n] = 0. In this case, we have [(to + l)/n] = q + 0 = [m/n]. On the other hand, if 
r = n — 1, then m = qn + n — 1 = n(q + 1) — 1 = nk — 1, and [(r + l)/n] = 1. In this case, we 
have [(m + l)/n] = q + 1 = [w/n] + 1. 

29. The positive integers divisible by the positive integer d are those integers of the form kd where k 
is a positive integer. The number of these that are less than x is the number of positive integers k 
with kd < x, or equivalently with k < x/d . There are \x/d] such integers. 

31. 128; 18 

33. 457 

35. It costs 44 — [1 — u;]17 cents to mail a letter weighing x ounces. It can not cost $1.81; a 13-ounce 
letter costs $2.65. 

37. Multiplying two integers of this form gives us (4n + l)(4m + 1) = 16mn + 4m + 4n + 1 = 
4(4mn + to + n) + 1. Similarly, (4n + 3)(4m + 3) = 16mn + 12m + 12n + 9 = 4(4mn + 3m + 
3n + 2) + 1. 

39. Every odd integer may be written in the form 4k + 1 or 4k + 3. Observe that (4k + l) 4 = 16 2 k 4 + 
4(4/t) 3 + 6(4k) 2 + 4(4 it) + 1 = 16(16 k A + 16 k 3 + 6 k 2 + k) + 1. Proceeding further, (4* + 3) 4 = 
(4 k) A + 12(4/t) 3 + 54(4k) 2 + 108(4*) + 3 4 = 16(16* 4 + 48* 3 + 54* 2 + 21k + 5) + 1. 

41. Of any consecutive three integers, one is a multiple of three. Also, at least one is even. Therefore, 
the product is a multiple of 2 • 3 = 6. 

43. For the basis step, note that 0 3 + l 3 + 2 3 = 9 is a multiple of 9. Suppose that n 3 + (n + l) 3 + (n + 
2) 3 = 9k for some integer k. Then (n + l) 3 + (n + 2) 3 + (n + 3) 3 = n 3 + (n + l) 3 + (n + 2) 3 + 
(n + 3) 3 — n 3 = 9k + n 3 + 9 n 2 + 21n + 27 — n 3 = 9k + 9 n 2 + 21n + 21 = 9(k + n 2 + 3n + 3), 
which is a multiple of 9. 

45. We proceed by mathematical induction. The basis step is clear. Assume that only / 4n ’s are divisible 
by 3 for f u i < 4k. Then, as f^+i = fAk + fAk-b 3 I fAk and 3 | / 4yk+1 gives us the contradiction 
3 I fAk-b Thus, 3 / fte+b Continuing on, if 3 | f 4k and 3 | / 4 * + 2 , then 3 | / 4/fe+1 , which contradicts 
the statement just proved. If 3 | / 4 * and 3 | / 4 ^ +3 , then, because / 4 * +3 = 2f Ak+ \ + f Ak , we again 
have a contradiction. But, as f Ak+A = 3 fAk+l + 2/ 4 ^, and 3 | f Ak and 3 | 3 • / 4fc+ j, we see that 
3 I fAk+A ■ 
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47 . First note that for n > 5, 5 /„_ 4 + 3 /„_ 5 = 2/„_ 4 + 3(/„_ 4 + /„_ 5 ) = 2 /„_ 4 + 3/„_ 3 = 

2 (/n- 4 + /n-3) + /n-3 = 2 /n-2 + /n-3 = fn-2 + /n-2 + fn- 3 = fn-2 + /n-1 = /n> which 

proves the first identity. Now note that / 5 = 5 is divisible by 5. Suppose that f 5n is divisible by 5. 
From the identity above, f 5n+ 5 = 5/ 5 „ +5 _ 4 + 3/s„ + 5_5 = 5/ 5 „ +1 + 3 f 5n , which is divisible by 5 
because 5/ 5n+1 is a multiple of 5 and, by the induction hypothesis, so is / 5 „. This completes the 
induction. 

49 . 39, 59, 89, 134, 67, 101, 152, 76, 38, 19, 29, 44, 22, 11, 17, 26, 13, 20, 10, 5, 8, 4, 2, 1 

51. We prove this using the second principle of mathematical induction. Because T (2) = 1, the Collate 
conjecture is true for n =2. Now assume that the conjecture holds for all integers less that n. 
By assumption, there is an integer k such that k iterations of the transformation T , starting at n, 
produces an integer m less than n. By the inductive hypothesis, there is an integer l such that 
iterating T l times starting at m produces the integer 1. Hence, iterating T k + l times starting 
with n leads to 1. 

53. We first show that (2 + y/3) n + (2 - y/3) n is an even integer. By the binomial theorem, it 
follows that (2 + V3)” + (2 - V3)" = £" =0 (")2'V3""' + £" =0 (")2'(-l)"-'V3"~' = 

2(2" + ( 2)3 • 2" _2 + (")3 2 • 2" -4 H ) = 21 where l is an integer. Next, note that (2 — \/3)" < 1. 

Because (2 + y/3) n is not an integer, we see that [(2 + V3)"] = (2 + V3)" + (2 - V3)" - 1. It 
follows that [(2 + V3)"] is odd. 

55. We prove existence of q and r by induction on a. First assume that a > 0. Assume existence 
in the division algorithm holds for all nonnegative integers less than a. If a < b, then let q = 0 
and r = a, so that a = qb + r and 0 < r = a < b. If a > b, then a — b is nonnegative and by 
the induction hypothesis, there exist q' and r' such that a — b = q'b + r' , with 0 <r' <b. Then 
a = {q' + 1 )b + r' , so we let q = q' + 1 and r = r' . This establishes the induction step, so existence 
is proved for a > 0. Now suppose a < 0. Then — a > 0, so, from our work above, there exist q' 
and r' such that —a = q'b + r' and 0 < r' < b. Then a = — q'b — r'. If r' = 0, we’re done. If not, 
then 0 <b — r' <b and a = (— q' — \)b + b — r', so letting q = —q' — 1 and r =b — r' satisfies 
the theorem. Uniqueness is proved just as in the text. 


Section 2.1 

1. (5554) 7 ; (2112) 10 

3. (175) 10 ; (1111100111)2 

5 . (8F5) 16 ; (74£) 16 

7. This is because we are using the blocks of three digits as one “digit,” which has 1000 possible 
values. 

9 . -39; 26 

11 . If m is any integer weight less than 2 k , then by Theorem 1.10, m has a base two expansion 

m = a k _{2 k ~ l + a k _ 2 2 k ~ 2 h a{l x + a 0 2°, where each a, is 0 or 1. The 2 l weight is used if 

and only if a, = 1. 

13 . Let w be the weight to be measured. By Exercise 10, w has a unique balanced ternary expansion. 
Place the object in pan 1. If e, = 1, then place a weight of 3' into pan 2. If e, = — 1, then place a 
weight of 3' in pan 1 . If e, = 0, then do not use the weight of 3' . Now the pans will be balanced. 

15 . To convert a number from base r to base r n , take the number in blocks of size n. To go the other 
way, convert each digit of a base r n number to base r, and concatenate the results. 

17 . (a k a k _i . . . a k a Q 00 . . . 00) fc , where we have placed m zeroes at the end of the base b expansion 
of n 
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19. a. -6 b. 13 c. -14 d. 0 

21. If m is positive, then a n _\ — 0 and a n _ 2 a n _ 3 ... a 0 is the binary expansion of m. Hence, 
m — YZlZo a i^‘ as desired. If m is negative, then the one’s complement expansion for m has 
its leading bit equal to 1. If we view the bit string a n _ 2 a n _ 3 ... a 0 as a a binary number, then it 
represents (2" _1 — 1) — (— m), because finding the one’s complement is equivalent to subtracting 
the binary number from 111 • • • 1. That is, (2" _1 — 1) — (— m) = YZIZq a C^ • Solving for m gives 
us the desired identity. 

23. a. -7 b. 13 c. -15 d. -1 

25. Complement each of the digits in the two’s complement representation for m and then add 1. 

27. An 

29. We first show that every positive integer has a Cantor expansion. To find a Cantor expansion 
of the positive integer n, let m be the unique positive integer such that m \ < n < (m + 1)!. By 
the division algorithm there is an integer a m such that n = m \ ■ a m + r m where 0 <a m <m and 
0 <r m < ml We iterate, finding that r m — (m — 1)! • a m _ x + r m _ x where 0 < a m _ l < m — 1 and 

0 < r m _i < (m — 1)!. We iterate m — 2 more times, where we have r t — (i — 1)! • a (1 + r (1 
where 0 < a { _i < i — 1 and 0 < r { _i < (i — 1)! for i = m + 1, m, m — 1, . . . , 2 with r m+1 = n. 
At the last stage, we have r 2 — 1 ! • a 3 + 0 where r 2 — 0 or 1 and r 2 — a v Uniqueness is proven as 
in the bas e-b expansion. 

31. Call a position good if the number of ones in each column is even, and bad otherwise. Because a 
player can only affect one row, he or she must affect some column sums. Thus, any move from a 
good position produces a bad position. To find a move from a bad position to a good one, construct 
a binary number by putting a 1 in the place of each column with odd sum, and a 0 in the place of 
each column with even sum. Subtracting this number of matches from the largest pile will produce 
a good position. 

33. a. First show that the result of the operation must yield a multiple of 9. Then it suffices to check 
only multiples of 9 with decreasing digits. There are only 79 of these. If we perform the operation 
on each of these 79 numbers and reorder the digits, we will have one of the following 23 numbers: 
7551, 9954, 5553, 9990, 9981, 8820, 9810, 9620, 8532, 8550, 9720, 9972, 7731, 6543, 8730, 
8640, 8721, 7443, 9963, 7632, 6552, 6642, or 6174. It will suffice to check only 9810, 7551, 
9990, 8550, 9720, 8640, and 7632, because the other numbers will appear in the sequences which 
these 8 numbers generate, b. 8 

35. Consider a 0 = (3043) 6 . We find that T 6 repeats with period 6. Therefore, it never goes to a 
Kaprekar’s constant for the base 6. 

37. Suppose n — a t + aj =a k + a t with i < j and k < l. First, suppose i j. Then n = a { + aj = 
2‘ + 2-> is the binary expansion of n. By Theorem 2.1, this expansion is unique. If k — l, then 
a k + a i = 2 k+l , which would be a different binary expansion of n, so k l. Then we must have 

1 — k and j — l by Theorem 2.1, so the sum is unique. Next, suppose i — j. Then n — 2 !+1 and so 
a k + a t — 2 k + 2 l — 2 i+1 . This forces k — l — i, and again the sum is unique. Therefore, {a,} is a 
Sidon sequence. 

Section 2.2 
1. (10010110110)2 
3. (1011101100) 2 
5. (10110001101)2 
7. g = (lllll) 2 ,/- = (1100)2 
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9. (3314430)5 

11. (4320023)5 
13. ( 16665) 16 

15. (B705736) 16 

17. We represent the integer (18235187) 10 using three words — ((018)(235)(187)) 10 oo — and the 
integer (22 135674) 10 using three words — ((022)(135)(674)) 1000 — where each base 1000 digit is 
represented by three base 10 digits in parentheses. To find the sum, difference, and product of these 
integers from their base 1000 representations, we carry out the algorithms for such computations 
for base 1000. 

19. To add numbers using the one’s complement representation, first decide whether the answer 
will be negative or positive. To do this is easy if both numbers have the same lead (sign) bit; 
otherwise, conduct a bit-by-bit comparison of a positive summand’s digits and the complement of 
the negative’s. Now add the other digits (all but the initial (sign) bit) as an ordinary binary number. 
If the sum is greater than 2", we have an overflow error. If not, consider the three quantities of the 
two summands and the sum. If exactly zero or two of these are negative, we’re done. Otherwise, 
we need to add (1) 2 to this answer. Also, add an appropriate sign bit to the front of the number. 

21. Let a = (a m a m _ x . . . a 2 a\)\ and b — (b m b m _ i . . . b 2 b l )i. Then a + b is obtained by adding the 
digits from right to left with the following rule for producing carries. If aj + bj + Cj_ h where 
cj _ j is the carry from adding a and bj_ h is greater than j, then Cj = 1, and the resulting 
jth digit is a.j + bj + cj_i — j — 1. Otherwise, Cj — 0. To subtract b from a, assuming a > b, 
we let d t = a t — b { + c,_j and set c,- = 0 if a t — b { + c,-_ j is between 0 and j. Otherwise, 
di = a t - b { + Cj_i + 7 + 1 and set c ( - = -1. In this manner, a- b = (d m d m _ x . . . d 2 d x )\. 

23. We have (a n . . . a^) 2 , = (10(a„ . . . a^o + 5) 2 = 100(a„ . . . a x )\ Q + 100(a„ . . . a^o + 25 = 
100(a„ . . . U])io((u„ . . . + 1) + 25. The decimal digits of this number consist of the decimal 

digits of (a n . . . «i)io((« n • • • «i)io + 1) followed by 25 because this first product is multiplied by 
100, which shifts its decimal expansion two digits. 

Section 2.3 

1. a. yes b. no c. yes d. yes e. yes f. yes 

3. First note that (n 3 + 4n 2 log n + 101 n 2 ) is 0(n 3 ) and that (14n log n + 8 n) is 0(n log n) as in 

Example 2.12. Now applying Theorem 2.3 yields the result. 

5. Use Exercise 4 and follow Example 2.12 noting that (log n) 3 < n 3 whenever/! is apositive integer. 

7. Let k be an integer with 1 <k<n. Consider the function f(k) = (n + 1 — k)k, whose graph is a 
concave-down parabola with ^-intercepts at k — 0 and k — n + l. Because /( 1) = /(n) = n, it is 
clear that f(k) > n for k = 1, 2, 3, . . . , n. Now consider the product (n !) 2 = Y] n k=] k(n + 1 - k) > 

nLi by the inequality above. This last is equal to n n . Thus, we have n n < (n!) 2 . Taking 

logarithms of both sides yields n log(n) < 2 log(n !), which shows that n log(n) is O (log(n !)) . 

9. Suppose that f is O ( g ) where /(n) and g(n) are positive integers for every integer n. Then there 
is an integer C such that f(n) < Cg(n) for all x € S. Then f k (n) < C k g k (n) for all x G S. Hence, 
f k is 0(g k ). 

11. The number of digits in the base b expansion of n is 1 + k where k is the largest integer such that 
b k <n < b k+1 because there is a digit for each of the powers of b°, b l , . . . , b k . Note that this 
inequality is equivalent to k < log b n < k + 1, so that k = [log fe n]. Hence, there are [log fe n] + 1 
digits in the base b expansion of n. 

13. To multiply an n -digit integer by an m -digit integer in the conventional manner, one must multiply 
every digit of the first number by every digit of the second number. There are nm such pairs. 
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15. a. O ( n logj n log 2 log 2 n log 2 log 2 log 2 n) b. O ((n log n) 1+e ) for any e > 0 

17. (1 10001 1) 2 

19. a. ab = (10 2 " + 10")A 1 B 1 + 10"^ - A 0 )(B 0 - B{) + (10 n + 1)A 0 B 0 where A ; and B ; are 
defined as in identity (2.2). b. 635 1 c. 1 1 ,522,328 

21. That the given equation is an identity may be seen by direct calculation. The seven multiplications 
necessary to use this identity are a n b n , a n b 2 1, ( a n — a 21 — a 12 )(b u — b 12 — b 22 ), (a 21 + 
a 2l)(.b\ 2 — ^ll)> ( a U + a 12 — a 2\ — a 22)^22’ ( a ll — a 2\)Q , 22 ~ ^12)> an ^ a 22(^ll — ^21 — ^12 + 

bn)- 

23. Let k = [log 2 n] + 1. Then the number of multiplications for 2* x 2* matrices is 0(7*). But, 

7* = 2 (log2 7 ^ [log2 n]+1 ) = O (2 log2 » l°S2 7 2 log 2 7 ) = O (n 10 ® 2 7 ). The other bit operations are absorbed 
into this term. 

Section 3.1 

1. a. yes b. yes c. yes d. no e. yes f. no 

3. 2, 3, 5, 7, 11, 13, 17,19,23,29,31,37,41,43,47,53,59,61,67,71,73,79,83,89,97, 101, 103, 
107, 109, 113, 127, 131, 137, 139, 149 

5. none 

7. Using the identity given in the hint with k such that 1 < k < n and k \ n, then a k — 1 1 a n — 1. 
Because a n — 1 is prime by hypothesis, a* — 1 = 1. From this, we see that a = 2 and k = 1, 
contradicting the fact that k > 1. Thus, we must have a = 2 and n is prime. 

9. We need to assume n > 3 to assure that S n > 1. Then by Lemma 3.1, S n has a prime divisor p. If 
p <n, then p\n !, and so p \n ! — S n = 1 , a contradiction. Therefore, we must have p > n. Because 
we can find arbitrarily large primes, there must be infinitely many. 

11. 3,7,31,211,2311,59 

13. Ifn is prime, we are done. Otherwise n/p < (-^n) 2 . If n/p is prime, then we are done. Otherwise, 
by Theorem 3.2, n/p has a prime factor less than y/n/p < y/n, a contradiction. 

15. a. 7 b. 19 c. 71 

17. A positive integer has a decimal expansion ending in 1 if and only if it is of the form 10& + 1 
for some integer k. This represents an arithmetic progression. Because (10, 1) = 1, we may apply 
Dirichlet’s theorem to conclude that there are infinitely many primes of this form. 

19. A positive integer has a decimal expansion ending in 1 23 if and only if it is of the form 1 000k + 123 
for some integer k. This represents an arithmetic progression. Because (1000, 123) = 1, we may 
apply Dirichlet’s theorem to conclude that there are infinitely many primes of this form. 

21. Let n be fixed, and let a be the integer with decimal expansion a string of n Is followed by a 3. 
Consider the arithmetic progression 10 n+1 £ + a. Because a ends in 3, it can not be divisible by 
2 or 5, so (10” +1 , a) = 1. Then by Dirichlet’s theorem, there are infinitely many primes in this 
progression, and each has the desired form. 

23. If n is prime the statement is true for n. Otherwise, n is composite, so n is the product of two 
integers a and b such that 1 < a < b < n. Because n = ab and because by the inductive hypothesis 
both a and b are the product of primes, we conclude that n is also the product of primes. 

25. 53 

27. Forn = 0, 1, 2, . . . 1 0, the values of the functionare 11, 13, 19, 29, 43, 61, 83, 109, 139, 173, 211, 
each of which is prime. But2 • ll 2 + 11 = 11(2 • 11 + 1) = 11 • 23,. 

29. Assume not. Let x 0 be a positive integer. It follows that /(x 0 ) = p where p is prime. Let 
k be an integer. We have f(x Q + kp ) = a n (x 0 + kp) n + • • • + a i(x 0 + kp ) + a 0 . Note that 
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by the binomial theorem, (x 0 + kpY = Yl{=i (;)xq * (kp) 1 . It follows that f(x Q + kp ) = 
X^j=o a j x o + Np = f( x o) + Np, for some integer N. Because p | /(x 0 ) it follows that 
P I (/(*o) + = f( x o + fyO* Because f(x Q + kp) is supposed to be prime, it follows that 

f(x Q + kp) = p for all integers k. This contradicts the fact that a polynomial of degree n takes on 
each value no more than n times. Hence f(y) is composite for at least one integer y. 

31. At each stage of the procedure for generating the lucky numbers the smallest number left, say 
k, is designated to be a lucky number and infinitely many numbers are left after the deletion of 
every kth integer left. It follows that there are infinitely many steps, and at each step a new lucky 
number is added to the sequence. Hence there are infinitely many lucky numbers. 

Section 3.2 

1. 24, 25, 26, 27, 28 

3. Suppose that p, p + 2, and p + 4 were all prime. We consider three cases. First, suppose that 
p is of the form 3k. Then p cannot be prime unless k= 1, and the prime triplet is 3, 5, and 
7. Next, suppose that p is of the form 3k + 1. Then p + 2 = 3k + 3= 3(k + 1) is not prime. 
We obtain no prime triplets in this case. Finally, suppose that p is of the form 3k + 2. Then 
p + 4 = 3k + 6 = 3(k + 2) is not prime. We obtain no prime triplet in this case either. 

5. (7, 11, 13), (13, 17, 19), (37, 41, 43), (67, 71, 73) 

7. a. 5 b. 7 c. 29 d. 53 

9. 127, 149, 173, 197, 227, 257, 293, 331, 367, 401 

11. If p is a prime of the form 105n + 97, then p + 2= 105n + 99 = 3(35n + 33) which is not prime, 
so p can not be the first member of a prime triple. Also, p —2= 105n + 95 = 5(21n + 19), which 
is not prime, so p can not be the second member of a prime triple. Finally, p — 6= 105n + 91 = 
7(15n + 13) is not prime, so p can not be the third member of a prime triple. Because (97, 105) = 1, 
Dirichlet’s theorem tells us that the arithmetic progression 105n + 97 contains infinitely many 
such primes. 

13. a. 7 = 3 + 2 + 2 b. 17 = 11 + 3 + 3 c. 27 = 23 + 2 + 2 d. 97 = 89 + 5 + 3 
e. 101 = 97 + 2 + 2 f. 199 =191 + 5 + 3 

15. Suppose that n > 5 and that Goldbach’s conjecture is true. Apply Goldbach’s conjecture to n — 2 
if n is even, or n — 3 if n is odd. Conversely, suppose that every integer greater than 5 is the sum 
of three primes. Let n > 2 be an even integer. Then n + 2 is also an even integer that is the sum 
of three primes, not all odd. 

17. Let p < n be prime. Using the division algorithm, we divide each of the first p + 1 integers in the 
sequence by p to get a = q 0 p + r 0 , a + k = q x p + r t , . . . , a + pk= q p + r p , with 0 < r, < p 
for each i. By the pigeonhole principle, at least two of the remainders must be equal, say, r t = rj. 
We subtract the corresponding equations to get a + ik — a — jk = q t p + r, - qjp + rj, which 
reduces to (i — j)k = (<?, - qj)p. Therefore p\(i — j)k, and because p is prime, it must divide 
one of the factors. But because (i — j) < p, we must have p\k. 

19. The difference is 6, achieved with 5, 1 1, 17, 23. 

21. The difference is 30, achieved with 7, 37, 67, 97, 127, 157. 

23. If p a — qP = 1, with p, q primes, then p or q is even, so p or q is 2 If p = 2, there are several 
cases: we have 2 a - qP = 1. If a is even, say, a = 2k, (2 2k - 1) = (2 k - \)(2 k + 1) = qP. So 
q\(2 k — 1) and q\(2 k + 1); hence, q = 1, a contradiction. If a is odd and fi is odd, 2“ = 1 + q? = 
(1 + q)(q p - 1 - qP~ 2 + • • • + 1). So 1 + q = 2" for some n. Then 2“ = (2" - l/ + 1 = 2"(odd 
number), because ft is odd. So 2“ _ " = odd number, and so a = n. Therefore, 2“ = 1 + (2“ — 1)^ 
and so ^ = 1, which is not allowed. If a = 2k + 1 and = 2n we have 2 2k+l = 1 + q 2n . Because 
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q is odd, q 2 is of the form Am + 1, and by the binomial theorem, so is q 2n . Thus, the right- 
hand side of the last equation is of the form Am + 2, but this forces k = 0, a contradiction. If 

q = 2, we have p a — 2? = 1. Whence 2 P = (p — l)(p“ -1 + p a ~ 2 -\ 1- p + 1), where the 

last factor is the sum of a odd terms but must be a power of 2; therefore, a — 2k for some k. 
Then 2^ = (p k — 1 )(p k + 1). These last two factors are powers of 2 that differ by 2, which forces 
k — 1, a — 2, P — 3, p — 3, and q — 2 as the only solution: 3 2 - 2 3 = 1. 

25 . Because 3 p > 2 n, p and 2 p are the only multiples of p that appear as factors in (2 n)\. So p 
divides (2n) ! exactly twice. Because 2p > n, p is the only multiple of p that appears as a factor in 
n\. So p | n\ exactly once. Then, because ( 2 ”) = 2/z !/(«!«!), the two factors of p in the numerator 
are canceled by the two in the denominator. 

27. By Bertrand’s conjecture, there must be a prime in each interval of the form (2 k ~\ 2 k ), for 
k — 2, 3, 4, . . .. Thus, there are at least k — 1 primes less than 2 k . Because the prime 2 isn’t 
counted here, we have at least k primes less than 2 k . 

29 . Because 1/ 1 is an integer, we may assume n > 1. First suppose that m <n. Then l/n + \/{n + 1) + 

b 1 /(n + m) < 1/ n + 1 /(n + 1) H b 1/(2 n - 1) < l/n + l/n -| b l/n < n(l/n) — 1, 

so the sum can not be an integer. Now suppose m>n. Then by Bertrand’s postulate, there 
is a prime p such that n < p < n + m. Let p be the largest such prime. Then n + m < 2p\ 
otherwise, there would be a prime q with p < q <2p <n + m, contradicting the choice of p. 

Suppose that l/n + l/(n + 1) H b 1/p H b l/(n + m) = a where a is an integer. Note 

that p occurs as a factor in only one denominator, because 2 p >n + m. Let Q = YYj=n ■/> 
and let Q t — Q/i, for i — n, n + 1, . . . , n + m. If we multiply the equation by Q, we get 

Qn + Qn+ 1 H 1 - Q p -\ b Q n + m = Qa. Note that every term on both sides of the equation 

is divisible by p except for Q p . If we solve the equation for Q p and factor a p out of the other 
side, we have an equation of the form Q p — pN where N is some integer. But this implies that p 
divides Q p , a contradiction. 

31 . Suppose n has the stated property and n > p 2 for some prime p. Because p 2 is not prime, there 
must a prime dividing both p 2 and n, and the only possibility for this is p itself, that is, p\n. Now 
if n > 7 2 , then it is greater than 2 2 , 3 2 , and 5 2 , and hence divisible by 2, 3, 5, and 7. This is the 
basis step for induction. Now assume n is divisible by p h p 2 , . . . , Pk- By Bonse’s inequality, 
Pk+i < PiPi • • • Pk < so Pk+i\ n a l so - This induction implies that every prime divides n, which 
is absurd. Therefore, if n has the stated property, it must be less than 7 2 = 49. To finish, check the 
remaining cases. 

33 . First suppose n > 8. Note that by Bertrand’s postulate we have p n _\ < p n < 2p n _ l and 
Pn-2 < Pn- 1 < 2 Pn- 2- Therefore, p 2 n < {2p n _ l )(2p n _ l ) < (2p n _i)(Ap n _ 2 ) = %P n -iPn-2 = 
Pn-iPn-2P5 - Pn-iPn-2Pn-3> because n > 8. Now check the cases n = 6 and 7. 

35 . From Corollary 3.4.1, we expect p ] 0 oo,ooo ~ 10 6 log 10 6 » 10 6 6(2.306) = 13,836,000. The 
millionth prime is, in fact, 15, 485, 863. 

Section 3.3 

1. a. 5 b. Ill c. 6 d. 1 e. 11 f. 2 

3 . a 

5. 1 

7. Let a and b be even integers. Then a = 2k and b = 21 for some integers k and l. Let d = (a, b). 
Then by Bezout’s theorem, there exist integers m and n such that d — ma + nb — m2k + n2l — 
2 (mk + nl). Therefore 2 | d, and so d is even. 
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9. By Theorem 3.8, ( ca , cb) — cma + cnb — |c| • \ma + nb\, where cma + cnb is as small as 
possible. Therefore, \ma + nb\ is as small a positive integer as possible, i.e., equal to (a, b). 

11. lor 2 

13. Let a — 2k. Because (a, b ) | b, and b is odd, (a, b ) is odd. But (a, b)\a — 2k. Thus, (a, b) \ k. 
So ( a , b) = (*, b) = (a/2, b ). 

15. Let d — (a, b). Then ( a/d , b/d) — 1, so if g\a/d, then (g, b/d) — 1. In particular, if we let 
e = (a/d, bc/d), then e\ a/d, so (e, b/d) = 1, so we must have e|c. Because e\ a/d, then e\ a, 
so e\ (a, c). Conversely, if / = (a, c), then (/, b) — 1, so (d, f ) = 1, so f\a/d, and, trivially, 
f\bc/d. Therefore f\e, whence e — f. Then (a, b)(a, c) =de = d(a/d, bc/d) = (a, be). 

17. 10,26,65 


19. a. 2 b. 5 c. 99 d. 3 e. 7 f. 1001 

21. Let A — (a l , a 2 , . . . , a n ) and D = (ca 1; ca 2 , . . . , ca n ). Then for each i, we have A \ a t , so that 

cA | ca t . Thus, cA\ D. Next, note that for each i, c \ ca t , so c \ D. Then D — cd for some integer 
d. Then for each i, D — cd \ ca h and hence d \ a t . Therefore d \ A, and so D = cd \ cA. Because 
cA | D and D \ cA, we have cA — D, which completes the proof. 

23. Suppose that (6k + a, 6k + b) = d. Then d \ b - a. We have a, b e {—1, 1, 2, 3, 5} , so if a < b, 
it follows that b - a e {1, 2, 3, 4, 6}. Hence, d e {1, 2, 3, 4, 6}. To show that d — 1, it is sufficient 
to show that neither 2 nor 3 divides (6k + a, 6k + b). If p = 2 or p = 3 and p \ (6k + a, 6k + b), 
then p | a and p \ b. However, there are no such pairs a, b in the set {—1, 1, 2, 3, 5}. 

25. Applying Theorem 3.7, we have (8a + 3, 5a + 2) = (8a + 3 — (5a + 2), 5a + 2) = (3a + 

1, 5a + 2) = (3a + 1, 5a + 2 - (3a + 1)) = (3a + 1, 2a + 1) = (3a + 1 - (2a + 1), 2a + 1) = 

(a, 2a + 1) = (a, 2a + 1 - 2a) = (a, 1) = 1, so 8a + 3 and 5a + 2 are relatively prime. 

27. Applying Theorem 3.7 to the numerator and denominator, we have (15/c + 4, 10/c + 3) = (15 k + 
4 - (10k + 3), 10k + 3) = (5k + 1, 10£ + 3) = (5k + 1, 10* + 3 - 2(5 * + 1)) = (5* + 1, 1) = 1. 
Because the numerator and denominator are relatively prime, the fraction must be in lowest terms. 

29. From Exercise 21, we know that 6k — 1, 6k + 1, 6k + 2,6 k + 3, and 6k + 5 are pairwise 
relatively prime. To represent n as the sum of two relatively prime integers greater than 1, 
let a — \2k + h , 0 < h < 12. We now examine the twelve cases, one for each possible value of h: 


h 

n 

0 

(6k - 1) + (6k + 1) 

1 

(6k - 1) + (6k + 2) 

2 

(6k - 1) + (6k + 3) 

3 

(6k + 1) + (6k + 2) 

4 

(6k + 1) + (6k + 3) 

5 

(6k + 2) + (6k + 3) 

6 

(6k + 1) + (6* + 5) 

1 

(6k + 2) + (6k + 5) 

8 

(6k + 3) + (6k + 5) 

9 

(12* + 7) + 2 

10 

(12* + 7) + 3 

11 

(12* + 9) + 2 


31. Applying Theorem 3.7, we have (2 n 2 + 6n — 4, 2 n 2 + 4n — 3) = (2 n 2 + 6n — 4 — (2 n 2 + 4 n — 
3), 2 n 2 + 4n — 3) — (2 n — 1, 2 n 2 + 4n - 3) = (2 n - 1, 2 n 2 + 4n - 3 - n(2n - 1)) — (2 n - 
1, 5n — 3) — (2 n - 1, 5n - 3 - 2(2 n - 1)) = (2n - 1, n - 1) = (2n - 1 - 2 (n -l),n-l) = 
(1, n — 1) = 1, so the numbers are relatively prime. 
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35. From Exercise 36, we have cb — ad = de — cf = 1. Then c(b + f) = d(a + e), and so 
c/d = (a + e)/(b+f). 

37. Because a/b < (a + c)/(b + d) < c/d, we must have b + d > n, or a/b and c/d would not be 
consecutive, because otherwise, ( a + c)/(b + d) would have appeared in the Farey series of order 


39. Because (a/b) + (c/d) — (ad + bc)/bd is an integer, bd \ ad + be. Certainly, then, bd \ 
d(ad + be) — ad 2 + cbd. Now, because bd \ cbd, it must be that bd \ ad 2 . From this, bdn — ad 2 
for some integer n, and it follows that bn = ad, or b \ ad. Because (a, b) = 1, we must have b \ d. 
Similarly, we can find that d \ b\ hence, b — d. 

41. Consider the lattice points inside or on the triangle with vertices (0, 0), (a, 0), and (a, b). Note 
that a lattice point lies on the diagonal from (0, 0) to (a, b) if and only if [bx/a] is an integer. 
Let d — (a,b) and a — cd, so that (c, b) — 1. Then [bx/a\ will be an integer exactly when x is a 
multiple of c, because then d\b and c\x so then a = cd\bx. But there are exactly d multiples of 
c less than or equal to a because cd — a, so there are exactly d + 1 lattice points on the diagonal 
when we count (0, 0) also. So one way to count the lattice points in the triangle is to consider 
the rectangle that has (a + Y)(b + 1) points and divide by 2. But we need to add back in half the 
points on the diagonal, which gives us (a + \)(b + l)/2 + ((a, b) + l)/2 total points in or on the 
triangle. Another way to count all the points is to count each column above the horizontal axis, 
starting with i = 1, 2, . . . , a — 1. The equation of the diagonal is y = (b/a)x, so for a given i, 
the number of points on or below the diagonal is [bi/a\. So the total number of interior points in 
the triangle plus the points on the diagonal is Then the right-hand boundary has b 

points (not counting (a, 0)) and the lower boundary has a + 1 points (counting (0, 0)). So in all, 
we have ^%Zl\bi/a\ + a + b + 1 points in or on the triangle. If we equate our two expressions 
and multiply through by 2, we have (a + l)(b + 1) + (a, b) + 1 = 2 Y^Zl&i/a] + 2a + 2b + 2, 
which simplifies to our expression. 

43. Assume there are exactly r primes and consider the r + 1 numbers (r + 1) ! + 1. From Lemma 
3.1, each of these numbers has a prime divisor, but from Exercise 34, these numbers are pairwise 
relatively prime, so these prime divisors must be unique, and so we must have at least r + 1 
different prime divisors, a contradiction. 


Section 3.4 

1. a. 15 b. 6 c. 2 d. 5 

3. a. (-1)75 + (2)45 b. (6)222 + (-13)102 c. -138(666) + (65)1414 d. -1707(20,785) + 
800(44,350) 

5. a. 1 b. 7 c. 5 

7. a. 16 • 6 - 8 • 10 - 15 b. 105 - 21 • 70 + 14 • 98 c.O • 280 + 0 • 330 - 75 • 405 + 62 • 490 

9. 2 

11. 2n - 2 

13. Suppose we have the balanced ternary expansions for integers a > b. If both expansions end in 
zero, then both are divisible by 3, and we can divide this factor of 3 out by deleting the trailing 
zeros (a shift), in which case (a, b) — 3(a/3, b/3). If exactly one expansion ends in zero, then we 
can divide the factor of 3 out by shifting, and we have (a, b) = (a/3, b), say. If both expansions 
end in 1 or in — 1, then we can subtract the larger from the smaller to get (a, b) — (a — b, b) , say, 
and then the expansion for a — b ends in zero. Finally, if one expansion ends in 1 and the other in 
— 1, then we can add the two to get (a + b,b), where the expansion of a + b now ends in zero. 
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Because a + b is no larger than 2 a and because we can now divide a + b by 3, the larger term is 
reduced by a factor of at least 2/3 after two steps. Therefore, this algorithm will terminate in a 
finite number of steps, when we finally have a = b= 1. 

15. Let r 0 = a and r x = b be positive integers with a > b. By successively applying the least-remainder 
division algorithm, we find that 


r o = r l4l + e 2 r 2 . 


—r i ri 

" < ^2 r 2 < 

2 2 2 - 2 


r n -2 = r n-\q n -\ + e n r n , -y-i < e n r n < ^ 

r n -i = r n q n - 

We eventually obtain a remainder of zero because the sequence of remainders a—r 0 > r±> r 2 > 

• • • > 0 cannot contain more than a terms. By Lemma 3.3, we see that (a, b) = (r 0 , rj) = (r l5 r 2 ) — 

• • • = (r„_ 2 , r„_i) = (r„_ b r n ) = (r„, 0) = r n . Hence (a, b ) = r„, the last nonzero remainder. 

17. Let v 2 = v 3 = 2, and for i > 4, 17 = 2u,_i + u,_ 2 . 

19. Performing the Euclidean algorithm with r 0 = m and rj = n, we find that r 0 = r 3 qi + r 2 , 0 < 
r 2 < r h rj = r 2 q 2 + r 3 , 0 < r 3 < r 2 , . . . , r k _ 3 = r k _ 2 q k _ 2 + r k _ h 0 < r k _ k < r k _ 2 , and r k _ 2 = 
r k \q k ~\- We have (m, n) — r k _ x . We will use these steps to find the greatest common divisor 
a m — 1 and a n — 1. First, we show that if u and u are positive integers, then the least positive 
residue of a u — 1 modulo a v — 1 is a r — 1, where r is the least positive residue of u modulo v. 
To see this, note that u — vq + r, where r is the least positive residue of u modulo v. It follows 

that a u — 1 = a vq+r -l = (a v — l)(a u(9_1)+r -| 1- a v+r + a r ) + (a r - 1). This shows that 

the remainder is a r — 1 when a u — 1 is divided by a v — 1. Now let R 0 = a m — 1 and Ri = a n — 1. 
When we perform the Euclidean algorithm starting with R 0 and R h we obtain R 0 — R\Q\ + R 2 , 
where R 2 — a' 2 -l , R\ — R 2 Q 2 + R 3 where R 3 — a r3 - l, , R k _ 3 — Rk- 2 Qk -2 + R k - 1 where 
R k _i — a r *- 1_1 . Hence, the last nonzero remainder, R k l — a'*- 1 — 1 = a {m ' n ^ — 1, is the greatest 
common divisor of a m — 1 and a n — 1. 

21. Note that (x, y) = (x — ty, y), as any divisor of x and y is also a divisor of x — ty. Therefore, 
every move in the game of Euclid preserves the g.c.d. of the two numbers. Because (a, 0) = a, if 
the game beginning with [a, b} terminates, then it must do so at {(a, b), 0)}. Because the sum of 
the two numbers is always decreasing and positive, the game must terminate. 

23. Choose the integer m so that d has no more than m bits and that q has 2m bits, appending extra 
zeros to the front of q if necessary. Then m — O (log 2 q) — O (log 2 d). Then from Theorems 2.7 
and 2.5, we kiow that there is an algorithm for dividing q by d in 0(m 2 ) — O (log 2 q log 2 d) 
bit operations. Now let n be the number of steps needed in the Euclidean algorithm to find the 
greatest common divisor of a and b. Then by Theorem 3.12, n — 0(log 2 a). Let q t and r t be as in 
the proof of Theorem 3.12. Then the total number of bit operations for divisions in the Euclidean 
algorithm is £"=i 0( log 2 q t log 2 17) = £"=i 0(log 2 q t log 2 b) = O (log 2 b £" =1 log 2 q t ) = 

O (log 2 b log 2 f]"_i q { ) . By dropping the remainder in each step of the Euclidean algorithm, 
we have the system of inequalities r, > r i+l q i+l , for i = 0, 1, . . . , n — 1. Multiplying these 
inequalities together yields n”=o r » — FI” = i r iQi- Cancelling common factors reduces this to 
a = r 0 >r n Ul a q t . Therefore, from above, we have that the total number of bit operations is 
O (log 2 b log 2 n"=i qt) = 0( log 2 b log 2 a) = 0((log 2 a) 2 ). 

25. We apply the <2,’s one at a time. When we multiply q n 11 0r„0 = q n r n r n = r n _ l r n , the top 
component is the last equation in the series of equations in the proof of Lemma 3.3. When we 
multiply this result on the left by the next matrix we get ^„_ill0r„_ 1 r„ = q n _\r n _i + r n r n _ 3 — 
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r n — 2 r n —b which is the matrix version of the last two equations in the proof of Lemma 3.3. In 
general, at the ith step we have 1 10r„_ i _ 1 r„_/ = q n -i r n-i-\ + r„. j = 
so that we inductively work our way up the equations in the proof of Lemma 3.3, until finally we 
have r 0 ri — ab. 


Section 3.5 

1. a.2 2 -3 2 b.3 13 c. 10 2 = 2 2 • 5 2 d. 17 2 e. 2 • 111 = 2 • 3 • 37 f. 2 8 g. 5 • 103 

h.23-43 i. 10 • 504 = 2 ■ 5 ■ 4 ■ 126 = 2 4 • 3 2 • 5 • 7 j. 8 • 10 3 = 2 6 • 5 3 k. 3 • 5 • 7 2 • 13 
1. 9 • 1111 = 3 2 • 11 • 101 

3. 3-5-7-11-13-17-19 

5. a. 2, 3 b. 2, 3, 5 c. 2, 3, 5, 7, 11, 13, 17, 19 d. 2, 3, 7, 13, 29, 31, 37, 41, 43, 47 

7. integers of the form p 2 where p is prime; integers of the of the form pq or p 3 where p and q are 
distinct primes. 

9. Let n = p^ l p^ 2 • • • p^qf’^q^ 1 ^ • • • qf’ 1 ^ be the factorization of a powerful number. Then 
n = (pVpT ' ' ' Pk k Q t'^ 2 2 ' ' ' ^') 2 (< 7 i <72 • • • qi) 3 is a product of a square and a cube. 

11. a. Suppose that p a \\m and p b || n. Then m = p a Q and n = p b R, where both Q and R are 
products of primes other than p. Hence, mn — (p a Q)(p b R) — p a+b QR.lt follows that p a+b || mn 
because p does not divide QR. b. If p a || m then m — p a n, where p / n. Then p / n k and we 
have m k = p ka n k and we see that p ka \ \ m k . c. Suppose that p a \ \m and p b \ \n with a^b. Then 
m — p a Q and n — p b R where both Q and R are products of primes other than p. Suppose, without 
loss of generality, that a = min(a, b). Thenm + n = p a Q + p b R = p m,n («.W(g + p b ~ a R). Then 
p / (Q + p b ~ a R ) because p / Q but p \ p b ~ a R. It follows that p mn < a ,b) || ( m + n ). 

13. 2 18 - 3 8 - 5 4 - 7 2 - 1 1 - 13 - 17 - 19 

15. 300, 301, 302, 303, 304 

17. We compute aft = ( ac - 5 bd) + ( ad + bc)y/^5. Thus, N(af)) = ( ac - 5 bd) 2 + 5(ad + be) 2 = 
a 2 c 2 - 10 acbd + 25 b 2 d 2 + 5a 2 d 2 + 10 adbc + 5 b 2 c 2 = a 2 (c 2 + 5d 2 ) + 5b 2 (5d 2 + c 2 ) = ( a 2 + 
5b 2 ) (c 2 + 5 d 2 ) = N(ct)N(P). 

19. Suppose 3 = aft. Then by Exercise 17, 9 = N( 3) = N(a)NQ3). Then N(a) = 1, 3, or 9. Let 
a — a + 6\/— 5. Then we must have a 2 + 5 b 2 — 1, 3, or 9. So either b — 0 and a — ±1 or ±3, 
or b = ±1 and a = ±2. Because a = ±1, b = 0 is excluded, and because a = ± 3 forces ft = ±1, 
we must have b = ±1. That is, a = ±2 ± v^5. But then Nipt) = 9, and hence N(fi) = 1, which 
forces P — ±l. 

21. Note that21 = 3 • 7 = (1 + 2^5)(1 - 2^5). We kiow 3 is prime from Exercise 19. Similarly, 
if we seek a = a + &>/— 5 such that N (a) = a 2 + 5 b 2 = 7, we find there are no solutions. For 
|&| = 0 implies a 2 — 7, \b\ — 1 implies a 2 = 2, and \b\ > 1 implies a 2 < 0, and in each case there is 
no such a. Hence, if ctfi = 7, then N(aP) = N(a)N(P) = N (7) = 49. So one of N(ct) and N(P) 
must be equal to 49 and the other equal to 1. Hence, 7 is also prime. We have shown that there 
are no numbers of the form a + b*f^5 with norm 3 or 7. So in a similar fashion to the argument 
above, if ap = 1 ± 2^5, then N{aP) = N(a)N(P) = N(l ± 2^5) =21. And there are no 
numbers with norm 3 or 7, so one of a and P has norm 21 and the other has norm 1. Hence, 

1 ± 2\A-5 is also prime. 

23. The product of 4k + 1 and 4/ + lis (4k + 1)(4/ + 1) = 16k/ + 4k + 4/ + 1 = 4(4kZ + k + 1) + 1 = 
Am + 1, where m — Akl + k + l. Hence, the product of two integers of the form 4k + 1 is also of 
this form. 

25. We proceed by strong mathematical induction on the elements of H. The first Hilbert number 
greater than 1 — 5 — is a Hilbert prime because it is an integer prime. This completes the basis step. 
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For the inductive step, we assume that all numbers in H less than or equal to n can be factored 
into Hilbert primes. The next greatest number in H is n + 4. If n + 4 is a Hilbert prime, then we 
are done. Otherwise, n + 4 = hk, where h and k are less than n + 4 and in H, and so both are less 
than or equal to n. By the inductive hypothesis, h and k can be factored into Hilbert primes. Thus, 
n + 4 can be written as the product of Hilbert primes. 

27. 1, 2, 3, 4, 6, 8, 12, 24 

29. a. 77 b. 36 c. 150 d. 33,633 e. 605,605 f. 277,200 

31. a. 2 2 3 3 5 3 7 2 , 2 7 3 5 5 5 7 7 b. 1, 2 • 3 • 5 • 7 • 1 1 • 13 • 17 • 19 • 23 • 29 

c. 2 • 5 • 11, 2 3 • 3 • 5 7 • 7 • ll 13 • 13 d. 101 1000 , 41 11 47 11 79 111 83 111 101 1001 

33. the year 2121 

35. Let a = • • • p r k k and b = p^ p 2 • • • where p t is a prime and r t and s t are non- 

negative. (a, b ) = p?«*4) . . . prtnto*) and [flj b] = p ^r hSl ) p ^r k ,s k ) ^ ^ fo] = 

(a, fc ) p““ (rMl) - min(ri - Sl) • • • p“ ax(r *’ i * ) ' min(r *’^ ) . Because max(r ( -, s t ) - min^, s t ) is clearly 
nonnegative, we now see that (a, b ) | [a, b], and we have equality when max(r ; , s,) — min(r ; , s,) = 
0 for each i, that is, if r, = s* for each i, that is if a = b. 

37. a. If [a, £>] | c, then because a \ [a, b ], a | c. Similarly, b \ c. Conversely, suppose that a = 
P\P^2 ' ' ‘ Pn n& ndfc = Pj’pj 2 ' ' ' Pn and c = p^p^ • • • If a I candle, then max(a ; , fe f ) < c t 
for i = 1, 2, . . . , n. Hence, [a, b] \ c. b. We proceed by induction on n. The basis step is given by 
part (a). Suppose the result holds for sets of n — 1 integers. Then [a h . . . , a n ] \ d if and only if 
[[**!, . . . , a n _ 1 ], a n \ | d. (See Exercise 49.) This is true if and only if [a x , . . . , a n _ 1 ] | d and a n \ d 
by part (a). By the induction hypothesis, this is true if and only if a t \ d for i = 1, 2, . . . , n. This 
completes the induction step. 

39. Assume that p \ a n = ± \ a \ • | a \ ■ • • | a |. Then by Lemma 3.5, p || a \ and so p \ a. 

41. a. Suppose that (a, b) — 1 and p \ ( a n , b n ) where p is a prime. It follows that p \ a n and p \ b n . 
By Exercise 41, p \ a and p \ b. But then p \ ( a , b) — 1, which is a contradiction, b. Suppose that 
a does not divide b, but a n \b n . Then there is some prime power, say, p r , that divides a but does 
not divide b (or else a \ b by the fundamental theorem of arithmetic). Thus, a = p r Q, where Q is 
an integer. Now a n — ( p r Q) n — p rn Q n , so p rn \ a n \ b n . Then b n — mp rn , from which it follows 
that each of the n b’s must by symmetry contain r p's. But this is a contradiction. 

43. Suppose that x = \fl + \/3. Then x 2 = 2 + 2\/2V3 + 3 = 5 + 2^6. Hence, x 2 - 5 = 2\/6. It 
follows that x 4 — 10x 2 + 25 = 24. Consequently, x 4 — 10x 2 + 1 = 0. By Theorem 3.17, it follows 
that yfl + \/3 is irrational, because it is not an integer (we can see this because 3 < y/2 + \/3 < 4). 

45. Suppose that m/n — log p b. This implies that p^ — b, from which it follows that p m — b n . 
Because b is not a power of p, there must be another prime, say, q, such that q\b. But then 
q | b | b n = p m = p ■ p • • • p. By Lemma 2.4, q \ p, which is impossible because p is a prime 
number. 

47. Let a = p^p^ • ■ • p^, b = p^p^ ■ ■ ■ p s k k , and c = p^p^ • • • p*£, with p t prime and r t , s h and t t 
nonnegative. Observe that min(x, max(y, z)) = max(min(x, y), min(x, z)). We also know that 

[a, b ] = )p™”*r 2 ,s 2 ) . . . ^ ^ ^ ^ = ;j min(, 1 ,max(, 1 ,, 1 )) ;j mm(/ 2 , m ax(r 2> , 2 )) 

• • • We also know that (a, c) = p f^ p f^h ) . . . ™Mr k , h) and ^ c) = 

p mn(s h t{) p mn(s 2 ,t 2 ) ^ ^ 

/? max(min(r 2 2 l2 ),n± 1 ( S2! r 2 )) . ([fl> fc]> c) = [(fl> c)> (fc> c)] . I n 

a similar manner, noting that min(max(x, z), max(y, z)) = max(min(x, y), z), we find that 
i(a,b),c] = (la,cl[b,c]). 
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49. Let c — [a x , . . . , a n ], d — [[a ls . . . , a n _ J, a„], and e — [a x , .... a n _ J. If c \ m, then all a,’s 
divide m, and hence e \ m and a n \ m, so d \ m. Conversely, if d\m, then e \ m and a n \m, and so 
all a, ’s divide m ; thus c\m. Because c and d divide all the same numbers, they must be equal. 

51. a. There are six cases, all handled the same way. So without loss of generality, suppose 
that a <b <c. Then max (a, b, c) = c, min(a, b ) = a, min(a, c) = a, min(fc, c) = b, and 
min(a, b, c ) = a. Hence, c = max (a, b, c) = a + b + c — min(a, b ) — min(a, c ) — min(fc, c) + 
min(a, b, c) — a + b + c — a— a— b + a. b. The power of a prime p that occurs in the prime 
factorization of [a, b, c ] is max(a, b, c) where a, b, and c are the powers of this prime in the 
factorizations of a, b, and c, respectively. Also, a + b + c is the power of p in abc, min (a, b) 
is the power of p in (a, b), min(a, c) is the power of p in (a, c), min(fe, c) is the power 
of p in ( b , c), and min (a, b, c) is the power of p in (a, b, c). It follows that a + b + c — 
min (a, b) — min (a, c) — min (b, c) is the power of p in abc(a, b, c)/((a, b)(a, c)(b, c )). Hence, 
[a, b, c\ — abc{a, b, c)/((a, b){a, c)(b, c)). 

53. Let a = p^p^ • • • p£, b — p^p^ • • • pf, and c = p\ l p^ • ■ ■ p*£, with p t prime and r h s h 
and nonnegative. Then p' i+Si+t ‘ || abc, but || (a, b, c) and pn+ s i+ t i- nun ( r h^. t i) y 

[ab, ac, ab\ and . p n+^i-mm(r h s hti ) = p n+s i+ti 

55. Let a — p[' p 2 • ■ ■ p r k k , b = p[' P 2 • • • p k , and c = PiP^ • • • p k , with p t prime and r h s h 
and ti nonnegative. Then, using that (a, b, c) = p r ^ in(ruSht i' ) p ^ m ^’ s ^‘ 2 ) . . . p mm(r k ,s k ,t k ) ^ ^ 

[a, b, c] = p“ ax ( r i’ s i’ r i)p“ ax ( r 2 > i 2 ' , 2 ) . . . p™ *(Tk> s k> t k) ' we can wr j te th e prime factorization of 
([a, b ], [a, c], [b, c]) and [( a , b), (a, c), (b, c)]. For instance, consider the case where k= 1. 
Then ([a, b], [a, C ], [b, c]) = (p™^\ p ™^+\ pWnM) = p nnn(max(r i .^),n»K( nitl ) 1 in«(^.* 1 ) > 

Similarly, [( a , b), (a, c), (b, c)] = p“ ax ( mul ( r i’' s i)' nun ( r i’h)- nun ( ;s: i>h) clearly, these two are equal 
(examine the six orderings r x > > t h . . .). 

57. First note that there are arbitrarily long sequences of composites in the integers. For example, 
(n + 2) ! + 2, (n + 2) ! + 3, . . . , (n + 2) ! + (n + 2) is a sequence of n consecutive composites. 
To find a sequence of n composites in the sequence a, a + b, a + 2b, . . ., look at the integers 
in a, a + b, a + 2b, ... with absolute values between ( nb + 2) ! + 2 and ( nb + 2) ! + ( nb + 2). 
There are clearly n or n + 1 such integers, and all are composite. 

59. 103 

61. 701 

63. Let a = ]”[;=i P? an d b — J”[j = i pf ‘ • The condition (a, b) — 1 is equivalent to min (a,-, /i,-) = 0 for 
all i, and the condition ab — c n is equivalent to n \ (a,- + /?,-) for all i. Hence, n \ a,- and /?,- = 0 or 
n | ^ and a,- = 0. Let d be the product of p°‘ i,n over all i of the first kind, and let e be the product 
of p^ n over all i of the second kind. Then d n = a and e n = b. 

65. Suppose the contrary and that a < n is in the set. Then 2 a cannot be in the set. Thus, if there are 
k elements in the set not exceeding n, then there are k integers between n + 1 and 2 n that cannot 
be in the set. So there are at most k + (n — k) — n elements in the set. 

67. m — n or [m, n} — {2, 4} 

69. For j / i, Pi\Qj, because it is one of the factors. So p t must divide S — Qj — Q t — 

Pi • • • Pj-iPj+i • • • p r , but by the fundamental theorem of arithmetic, p t must be equal to one of 
these last factors, a contradiction. 

71. Let p be the largest prime less than or equal to n . If 2p were less than or equal to n, then Bertrand’s 
postulate would guarantee another prime q such that p < q <2p <n, contradicting the choice 
of p. Therefore, we know that n <2p. Therefore, in the product n!=l-2-3---n, there appears 
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only one multiple of p, namely, p itself, and so in the prime factorization of n, p appears with 
exponent 1. 

73. a. Uniqueness follows from the Fundamental Theorem. If a prime p t doesn’t appear in the prime 
factorization, then we include it in the product with an exponent of 0. Because e, > 0, we have 
P C \ = P e \Pi " ' Pr — P e \Pi • • • p e r T = m. b. Because p\‘ < p^ < m < Q = p ", we take logs of 
both sides to get e t log p\<n log p r . Solving for e t gives the first inequality. If 1 < m < Q, then 
m has a prime-power factorization of the form given in part (a), so the r -tuples of exponents count 
the number of integers in the range 1 <m < Q. c. To bound the number of r-tuples, by part (b) 
there are at most Cn + 1 choices for each e t , and therefore there are at most (Cn + l) r r-tuples, 
which by part (b) gives us p" < (Cn + l) r = (n(C + 1 /n)) r < n r (C + l) r . d. Taking logs of both 
sides of the inequality in part (c) and solving for n yields n < (r log n + log(C + 1))/ log p r , but 
because n grows much faster than log n, the left side must be larger than the right for large values 
of n. This contradiction shows there must be infinitely many primes. 

75 . 5(40) = 5, 5(41) = 41, 5(43) = 43 

77 . a(n) = 1, 2, 3, 4, 5, 9, 7, 32, 27, 25, 11, . . . 

79 . From Exercise 78, we have S(p) = p whenever p is prime. If m < p and m|5(p)! = pi, then 
m\(p — 1)!, so S(p) must be the first time that 5(n) takes on the value p. Therefore, of all the 
inverses of p, p is the least. 

81 . Let n be a positive integer and suppose n is square-free. Then no prime can appear to a power 
greater than 1 in the prime-power factorization of n. So n = P 1 P 2 • • • p r for some distinct primes 
Pi- Then rad(n ) = p x p 2 • • • p r — n. Conversely, if n is not square-free, then some prime factor 
Pi appears to a power greater than 1 in the prime-power factorization of n. So n — p“p bl • ■ ■ p b / 
with a >2. Then rad(n ) = pip 2 • • • p r <n. 

83. Because every prime occurring in the prime-power factorization of mn occurs in either the 
factorization of m or n, every factor in rad(mn) occurs at least once in the product rad(m)rad(n), 
which gives us the inequality. If ra = />“'•• • p/ r and n = q\ l ■ ■ ■ q s s are relatively prime, then we 
have rad(mn) — P\ ■ ■ ■ p r q\ ■ ■ ■ q s — rad(m)rad(n). 

85 . First note that if p \ ( 2 "), then p < 2n. This is true because every factor of the numerator of 
( 2 ") = is less than or equal to 2 n. Let ( 2 ") = p^p^ • • • p[ k be the factorization of ( 2 ") into 
distinct primes. By the definition of n, k < tt( 2 n). By Exercise 84, p r .' < 2n. It now follows that 

Cn) = Pi Pi • • • Pk ^ ( 2 ")( 2 ”) • • • (2n) < (2 nyW. 

87 . Note that ( 2 ”) < (?) = (! + l) 2n = 2 2n . Then from Exercise 86, < ( 2n ) < 2 2n . 

Taking logarithms gives (n(2n) — tt(m)) log n < log(2 2n ) = n log 4. Now divide by log n. 

89. Note that 2" = 2 < 11”=] ( w + a )/ a = (?)• Then by Exercise 85, 2" < (2n) n( ^ n \ Taking logs 

gives tt (2 n) > n log 2/ log 2 n . Hence, for a real number x, we have n (x) > [x/2] log 2/ log [x] > 
Cjx/ log x. For the other half, Exercise 65 gives 7r(x) — tt(x/2 ) < ax/ log x, where a is a 
constant. Then log x/2 m 7r(x/2 m ) — log x/2 m+l jt(x/2 m+1 ) < ax/2 m for any positive integer m. 
Then log X7r(x) = Yh^o (fogx/2 m jt(x/2 m )- \ogx/2 m+1 n(x/2 m+1 )) < ax Y,m=o V2 m < c 2 x, 
where v is the largest integer such that 2 v+l < x. Then 7r(x) < c 2 x/log x. 

Section 3.6 

1. a. 3 - 5 2 - 7 3 - 13- 101 b. II 3 • 13 • 19 • 641 c. 13 • 17 • 19 • 47 • 71 • 97 

3. a. 143 = 12 2 - 1 = (12 + 1)(12 - 1) = 13 • 11 b. 2279 = 48 2 - 5 2 = (48 + 5)(48 - 5) = 53 • 43 
c. 43 is prime, d. 11413 = 107 2 - 6 2 = (107 + 6)(107 - 6) = 113 • 101 
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5. Note that (50 + n) 2 = 2500 + lOOn + n 2 and (50 — n) 2 = 2500 — lOOn + n 2 . The first equation 
shows that the possible final two digits of squares can be found by examining the squares of 
the integers 0, 1, . . . , 49, and the second equation shows that these final two digits can be 
found by examining the squares of the integers 0, 1, . . . , 25. We find that 0 2 = 0, l 2 = 1, 2 2 = 
4, 3 2 = 9, 4 2 = 16, 5 2 = 25, 6 2 = 36, 7 2 = 49, 8 2 = 64, 9 2 = 81, 10 2 = 100, ll 2 = 121, 12 2 = 
144, 13 2 = 169, 14 2 = 196, 15 2 = 225, 16 2 = 256, 17 2 = 289, 18 2 = 324, 19 2 = 361, 20 2 = 
400, 21 2 = 441, 22 2 = 484, 23 2 = 529, 24 2 = 576, and 25 2 = 625. It follows that the last two 
digits of a square are 00, el, e4, 25, 06, and e9, where e represents an even digit and o represents 
an odd digit. 

7. Suppose that x 2 — n is a perfect square with x > (n + p 2 )/2p, say, a 2 . Now, a 2 = x 2 — n > 
((n + p 2 )/2p) 2 — n = ((n — p 2 )/2p) 2 . It follows that a > (n — p 2 )/2p. From these inequalities 
for x and a, we see that x + a > n/p, or n < p(x + a). Also, a 2 = x 2 — n tells us that 
(x — a)(x + a) = n. Now, (x — a)(x + a) = n < p(x + a). Canceling, we find that x — a < p. 
But because x — a is a divisor of n less than p, the smallest prime divisor of n, it follows that 
x — a = 1. In this case, x = (n + l)/2. 

9. From the identity in Exercise 8, it is clear that if n = n x is a multiple of 2k + 1, then so 
is n k , because it is the sum of two multiples of 2k + 1. If (2k + 1) | n k , then (2k + 1) | r k 
and it follows from r k < 2k + 1 that r k = 0. Thus, n k = (2k + 1 )q k . Continuing, we see that 
n = n + 2 n k — 2(2 k + 1 )q k = (2k + l)n + 2 (n k - kn ) - 2(2 k + 1 )q k . It follows from Exercise 8 
that n = (2k + l)n - 2(2 k + 1) £*“/ q t - 2(2 k + 1 )q k = (2k + l)n - 2(2 k + 1) £* =1 q t . Using 
Exercise 8 again, we conclude that n = (2k + l)(n — 2 £* =1 q t ) = (2k + 1 )/n fc+1 . 

11. To see that u is even, note that a — c is the difference of odd numbers and that b — d is the 
difference of even numbers. Thus, a — c and b — d are even, and u must be as well. That 
(r, s) = 1 follows trivially from Theorem 2.1 (i). To continue, a 2 + b 2 = c 2 + d 2 implies 
that (a + c)(a — c) = (d — b)(d + b). Dividing both sides of this equation by u, we find that 
r(a + c) = s (d + b). From this, it is clear that s \ r(a + c). But because (r, s) = 1, s \ a + c. 

13. Tofactorn,observethat[(|) 2 + (\) 2 ~\(r 2 + s 2 ) = ( 1/4) (t^u 2 + r 2 v 2 + s 2 u 2 + s 2 v 2 ). Substituting 
a — c, d — b, a + c, and d + b for ru, su, sv, and rv, respectively, will allow everything to be 
simplified down to n. As u and v are both even, both of the factors are integers. 

15. We have 2 4n+2 + 1 = 4(2” ) 4 + 1 = (2 • 2 2 " + 2 • 2" + 1)(2 • 2 2 " - 2 • 2" + 1). Using this identity, 
we have the factorization 2 18 + 1 = 4(2 4 ) 4 + 1 = (2 • 2 8 + 2 • 2 4 + 1)(2 • 2 8 - 2 • 2 4 + 1) = 

(2 9 + 2 5 + 1)(2 9 - 2 5 + 1) = 545 • 481. 

17. We can prove that the last digit in the decimal expansion of F n is 7 for n > 2 by proving that the 
last digit in the decimal expansion of 2 2 ” is 6 for n > 2. This can be done using mathematical 
induction. We have 2 22 = 16, so the result is true for n = 2. Now assume that the last decimal digit 
of 2 2 ” is 6, that is, 2 2 ” = 6 (mod 10). It follows that 2 2 ” +1 = (2 2 ' 1 ) 2 ' 1+1-2 " = (p. n+l -2 n = g (mod 10). 
This completes the proof. 

19. Because every prime factor of F 5 = 7? + 1 = 4,294,967,297 is of the form 2 2 k + 1 = 128 k + 1, 
attempt to factor F 5 by trial division by primes of this form. We find that 128 • 1 + 1 = 129 
is not prime, 128 • 2 + 1 = 257 is prime but does not divide 4,294,967,297, 128 • 3 + 1 = 385 
is not prime, 128 • 4 + 1 = 513 is not prime, and 128 • 5 + 1 = 641 is prime and does divide 
4,294,967,297 with 4,294,967,297 = 641 • 6,700,417. Any factor of 6,700,417 is also a factor of 
4,294,967,297. We attempt to factor 6,700,417 by trial division by primes of the form 128 k + 1 
beginning with 641. We first note that 641 does not divide 6,700,417. Among the other integers of 
the form 128 k + 1 less than a/ 6,700,417, namely the integers 769, 897, 1025, 1153, 1281, 1409, 
1537, 1665, 1793, 1921, 2049, 2177, 2305, 2433, and 2561, only 769, 1153, and 1409 are prime, 
and none of them divide 6,700,417. Hence, 6,700,417 is prime and the prime factorization of F 5 
is 641 -6,700,417. 
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21. 2 n / log 2 10 + 1 

23. See Exercise 23 in Section 3.2. 

Section 3.7 

1. a. jc = 33 - 5t, y = -11 + 2t b. x = -300 + 13 1 , y = 400 - 17 1 c. jc = 21 - 2t, y = 
-21 + 3 1 d. no solutions e. x = 889 - 1969t, y = -633 + 1402t 

3. 63 US$,41 Can$ 

5. 53 Euros, 35 Pounds 

7. 17 apples, 23 oranges 

9. a. (1, 16), (4, 14), (7, 12), . . . , (22, 2), (25, 0) b. no solutions 
c. 18 solutions: (0, 37), (3, 35), . . . , (54, 1) 

11. a. jc = -5 + 3s - 2t, y = 5 - 2s, z = t b. no solutions c. jc = -1 + 102j + t, y = 

1 - 10 Is -2 t,z = t 

13. Let jc, y, and z be the number of pennies, dimes, and quarters, respectively. When z = 0, we have 
jc = 9, y = 9; jc = 19, y = 8; x = 29, y = 7; x = 39, y = 6; jc = 49, y = 5; jc = 59, y = 4 ; jc = 
69, y = 3; jc = 79, y = 2; x = 89, y = 1; jc = 99, y = 0. When z = 1, we have jc = 4, y = 7; jc = 
14, y = 6; jc = 24, y = 5; jc = 34, y = 4; jc = 44, y = 3;jc = 54, y = 2;jc = 64, y = 1; jc = 74, y = 
0. Whenz = 2, we have jc = 9, y =4;jc = 19, y = 3;jc = 29, y = 2; jc = 39, y = 1;jc =49, y = 0. 
When z = 3, we have jc = 4, y = 2; jc = 14, y = 1; jc = 24, y = 0. 

15. a. jc = 92 + 6t, y = 8 - It, z = t b. no solution c. jc = 50 - t, y = -100 + 3 1, z = 

150 -3 t,w = t 

17. 9, 19, 41 

19. The quadrilateral with vertices ( b , 0), (0, a), (b — 1, —1), and (— 1, a — 1) has area a + b. Pick’s 
Theorem, from elementary geometry, states that the area of a simple polygon whose vertices are 
lattice points (points with integer coordinates) is given by jx + y — 1, where jc is the number of 
lattice points on the boundary and y is the number of lattice points inside the polygon. Because 
(a, b) = 1, jc = 4, and therefore, by Pick’s Theorem, the quadrilateral contains a + b — 1 lattice 
points. Every point corresponds to a different value of n in the range ab — a — b < n < ab. 
Therefore, every n in the range must get hit, so the equation is solvable. 

21. See the solution to Exercise 19. The line ax + by = ab — a — b bisects the rectangle with vertices 
(— 1, a — 1), (— 1, —1), {b — 1, a — 1), and (b -1,-1) but contains no lattice points. Hence, 
half the interior points are below the line and half are above. The half below correspond to 
n <ab — a — b and there are (a — \)(b — l)/2 of them. 

23. (0, 25, 75); (4, 18, 78); (8, 11, 81); (12, 4, 84) 

Section 4.1 

1. a. 2 | (13-1) = 12 b. 5 | (22-7) = 15 c. 13 | (91 - 0) = 91 d. 7 | (69 - 62) = 7 e. 

3 | (-2-1) = -3 f. 11 1 (-3 -30) = -33 g.40 | (111 - (-9)) = 120 h. 37 | (666 - 0) = 
666 

3. a. 1,2, 11,22 b. 1,3,9,27, 37, 111,333,999 c. 1, 11, 121, 1331 

5. Suppose that a is odd. Then a = 2k + 1 for some integer/:. Then a 2 = (2k + l) 2 = 4 k 2 + 4k + 1 = 
4k(k + 1) + 1. If k is even, then k = 21 where l is an integer. Then a 2 = 8/ (21 + 1) + 1. Hence, 
a 2 = 1 (mod 8). If/: is odd, then k = 21 + 1 when / is an integer. Then a 2 = 4(2 1 + 1)(2 1 + 2) + 1 = 
8(2/ + 1)(Z + 1) + 1. Hence, a 2 = 1 (mod 8). It follows that a 2 = 1 (mod 8) whenever a is odd. 

7. a. 15 b. 8 c. 25 d. 27 e. 8 f. 27 
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9. a. 1 b. 5 c. 9 d. 13 

11. By the Division Algorithm, there exist integers q h q 2 , r x , r 2 such that a — q x m + r x and 

b = q 2 m + r 2 , with 0 < r x , r 2 < m. Then a mod m = r± and b mod m = r 2 . Suppose that r x = r 2 , 

then a — b — m(q x — q 2 ) + (r x — r 2 ) — m(q x — q{). Then m \a — b, and so a = b (mod m). 

13. Because a = b (mod m), there exists an integer k such that a — b + km. Thus, ac — (b + km)c — 
be + k(mc). By Theorem 4.1, ac = be (mod me). 

15. a. We proceed by induction on n. It is clearly true for n — 1. For the inductive step, we 
assume that £" =1 aj = £)" =1 bj (mod m ) and that a n+x = b n+x (mod m). Now a j — 
(E" =1 dj) + a n+l = (E”=i b j) + K + 1 = } b j ( mod m ) by Theorem 4.6(i). This completes 

the proof, b. We use induction on n. For n — 1, the identity clearly holds. This completes the 
basis step. For the inductive step, we assume that I”I”=i a j — FI”=i b j (mod m) and a n+1 = b n+x 

(mod m). Then Y\"t\ a j = a «+i(n”=i a j) = ^+i(Il"=i b j) = FlyiJ b j ( mod m ) b Y Theorem 
4.6(iii). This completes the proof. 

17. Let m = 6, a = 4, and b = 5. Then 4 mod 6 = 4 and 5 mod 6 = 5, but 4 • 5 mod 6 = 2 ^ 4 • 5. 

19. By the Division Algorithm, there exist integers q x , q 2 , r x , r 2 such that a = q x m + r x and 

b — q 2 m + r 2 , with 0 < r h r 2 < m. Then ab = r x r 2 (mod m) by Theorem 4.6(iii). By definition, 
a mod m—r x and b mod m = r 2 , so ((a mod m)(b mod m) mod m = (r x r 2 ) mod m — ab mod m, 
by Exercise 10. 
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23. a. 4 o’clock b. 6 o’clock c. 4 o’clock 

25. a = ±b (mod p ) 

27. Note that 1 + 2 + 3 + ■ ■ • + (n + 1) = (n — l)n/2. If n is odd, then (n — 1) is even, so ( n — l)n/2 

is an integer. Hence, n | (1 + 2 + 3 H 1- (n - 1)) if n is odd, and 1 + 2 + 3H |-(n-l) = 0 

(mod n). If n is even, then n — 2k where k is an integer. Then ( n — l)n/2 = (n — l)fc. We can 
easily see that n does not divide ( n — 1)&, because (n, n — 1) = 1 and k <n. It follows that 
1 + 2 H 1- (n — 1) is not congruent to 0 modulo n if n is even. 

29. those n relatively prime to 6 

31. If /i = l,then5 = 5 1 = 1 + 4(1) (mod 16), so the basis step holds. For the inductive step, we assume 
that 5 n = 1 + An (mod 16). Now 5 n+1 = 5"5 = (1 + 4n)5 (mod 16) by Theorem 4.4(iii). Further, 
(1 + 4n)5 = 5 + 20n = 5 + 4n (mod 16). Finally, 5 + 4n = 1 + 4(n + 1). So 5 n+1 = 1 + 4(n + 1) 
(mod 16). 

33. Note that if x = 0 (mod 4) then x 2 = 0 (mod 4), if x = 1 (mod 4) then jc 2 = 1 (mod 4), if x = 2 
(mod 4) then x 2 = 4 = 0 (mod 4), and if jc = 3 (mod 4) then jc 2 = 9=1 (mod 4). Hence, x 2 = 0 
or 1 (mod 4) whenever x is an integer. It follows that x 2 + y 2 = 0, 1 or 2 (mod 4) whenever x and 
y are integers. We see that n is not the sum of two squares when n = 3 (mod 4). 

35. By Theorem 4.1, for some integer a, ap k — x 2 — x — x{x — 1). By the fundamental theorem of 
arithmetic, p k is a factor of jc (jc — 1). Because p cannot divide both x and jc — 1, we kiow that 
p k | jc or p k | jc — 1. Thus, jc = 0 or jc = 1 (mod p k ). 
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37. First note that there are m x possibilities for a x , m 2 possibilities for a 2 , and in general m t 

possibilities for a t . Thus, there are m x m 2 ■ ■ ■ m k expressions of the form M x a x + M 2 a 2 H M k a k 

where a h a 2 , . . . ,a k run through complete systems of residues modulo m h m 2 , . . . , m k , 
respectively. Because this is exactly the size of a complete system of residues modulo M, 
the result will follow if we can show distinctness of each of these expressions modulo M. Suppose 

that M x a x + M 2 a 2 H h M k a k = M x a[ + M 2 a' 2 H h M k a' k (mod M). Then M x a x = M x a[ 

(mod mi), because m x divides each of M 2 , M 3 , . . . , M k , and, further, a x = a[ (modmj), because 
(M x , m x ) — 1. Similarly, a t = a' i (mod m,). Thus, a\ is in the same congruence class modulo m t 
as a t for all i. The result now follows. 

39. a. Let y/n = a + r, where a is an integer and 0 < r < 1. We now consider two cases, when 0 < r < j 
and when \ <r < 1. For the first case, T — [y/n + j] — a, and so t — T 2 — n — -(2 ar + r 2 ). 
Thus, |i| = 2 ar + r 2 < 2 a(|) + (^) 2 = a + Because both T and n are integers, t is also an 
integer. It follows that \t\ < [a + j] = a = T. For the second case, when \ < r < 1, we find that 
T — [y/n + i] = a + 1 and t — 2a(l — r) + (1 — r 2 ). Because ^ < r < 1, 0 < (1 — r) < | and 
0 < 1 — r 2 < 1. It follows that t < 2a (^) + (1 — r 2 ). Because t is an integer, we can say that 
|r | < [a + (1 — r 2 )] — a<T. b. By the division algorithm, we see that if we divide x by T, 
we get x = aT + b, where 0 < b < T . If a were negative, then x = aT + b < (— \)T + b < 0; 
but we assumed x to be nonnegative. This shows that 0 < a. Suppose now that a > T. Then x — 
aT + b> (T + 1)J = T 2 + T > ( y/n — j) 2 + ( y/n — j) — n — | and, as x and n are integers, 
x > n. This is a contradiction, which shows that a <T. Similarly, 0 <c <T and 0 < d < T. c. 
xy — (aT + b)(cT + d) — acT 2 + (ad + bc)T + bd = ac(t + n) + zT + bd = act + zT + bd 
(mod n). d. Use part (c), substituting eT + f for ac. e. The first half is identical to part 
(b); the second half follows by substituting gT + h for z + et in part (c) and noting that T 2 = t 
(mod n). f. Certainly, ft and gt can be computed because all three numbers are less than T, 
which is less than y/n + 1. So (/ + g)t is less than 2 n <w. Similarly, we can compute j + bd 
without exceeding the word size. And, finally, using the same arguments, we can compute hT + k 
without exceeding the word size. 

41. a. 1 b. 1 c. 1 d. 1 e. Fermat’s little theorem (Section 6.1) 

43. Because f n _ 2 + f n _ x = f n (mod m ), if two consecutive numbers recur in the same order, then the 
sequence must be repeating both as n increases and as it decreases. But there are only m residues, 
and so m 2 ordered sequence of two residues. As the sequence is infinite, some two elements of 
the sequence must recur by the pigeonhole principle. Thus, the sequence of least positive residues 
of the Fibonacci numbers repeats. It follows that if m divides some Fibonacci number, that is, if 
/„ = 0 (mod m), then m divides infinitely many Fibonacci numbers. To see that m does divide 
some Fibonacci number, note that the sequence must contain a 0, namely, / 0 = 0 (mod m). 

45. Let a and b be positive integers less than m. Then they have 0(log m ) digits (bits). Therefore by 
Theorem 2.4, we can multiply them using O (log 2 m) operations. Division by m takes 0(log 2 m) 
operations by Theorem 2.7. Therefore, in all we have O (log 2 m) operations. 

47. Let N t be the number of coconuts the ith man leaves for the next man and let N 0 = N. 

At each stage, the ith man finds N t _ x coconuts, gives k coconuts to the monkeys, takes 
(1 /n)(N i _i — k ) coconuts for himself, and leaves the rest for the next man. This yields 
the recursive formula N t = (N t _ x — k)(n — 1 )/n. For convenience, let w = (n — 1 )/n. If 
we iterate this formula a few times, we get N x — (N 0 — k)w, N 2 — (N x — k)w — ((N 0 — 
k)w — k)w = N 0 w 2 — kw 2 — kw, N 3 = N 0 w 3 — kw 3 — kw 2 — kw, . . .. The general pattern 
Nj = N 0 w l — kw 1 — kxv l ~ l — • • • — kw = N 0 w l — kw(w l — V)/(w — 1) may be proved by 
induction. When the men rise in the morning, they find N n — N 0 w n — kw(w n - V)/(u> — 1) 
coconuts, and we must have N n = k (mod n), that is, N n — N 0 w n — kw(w n — l)/(w — 1) = k + tn 
for some integer t. Substituting w = (n — l)/n back in for w, solving for N 0 , and simplifying 
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yields N — N 0 — n n+ \t + k)/(n — 1)” — kn + k. For N to be an integer, because ( n , n — 1) = 1, 
we must have (t + k)/(n — 1)" an integer. Because we seek the smallest positive value for N, we 
take t + k = (n — 1)”, so t = (n — 1)" — k. Substituting this value back into the formula for N 
yields N — n n+l — kn + k. 

49. a. Let /j(x) = a i x ‘’ / 2 O) = T.?= 1 b i x ‘> £i( x ) = T.?= 1 c i x ‘> and S 2 M = Ef=i d i x ^ where 
the leading coefficients may be zero to keep the limits of summation the same for all polynomials. 
Then a { = c,- (mod n ) and b t = d t (mod n), for i = 0, 1, . . . , m. Therefore by Theorem 4.6 part 
(i), a t + b t = Cj + d t (mod n) for i = 0, 1, . . . , m. Because (fi + / 2 )(x) = + b i) x * 

and ( gi + g 2 )(x) = J27=i( c i + d i) x 'i diis shows the sums of the polynomials are congruent 
modulo n. b. With the same set up as in part (a), the coefficient on x k in (/i/ 2 )(x) is given 

by a 0 b k + aib k _i -\ 1- a k b 0 , and the corresponding coefficient in (gig 2 )(x) is given by 

c 0 d k + c l d k _ l H b c k d 0 . Because each a t = c, (mod n) and b t = d t (mod n), by Theorem 4.6 

the two expressions are congruent modulo n, and so, therefore, are the polynomials. 

51. The basis step for induction on k is Exercise 42. Assume that f(x) = h(x) (mod p) and 
f(x) = (x — a{) ■■■ (x — afe_i)A(x), where h(x) is a polynomial with integer coefficients. 
Substituting a k for x in this congruence gives us 0 = (a k — a{) ■ ■ ■ (a k — ai)h(a k ) (mod p). None 
of the factors a k — a t can be congruent to zero modulo p, so we must have h(a k ) = 0 (mod p). 
Applying Exercise 50 to h(x) and a k gives us h(x) = (x — a k )g(x) (mod p), and substituting this 
in the congruence for /(x) yields /(x) = (x — a{) ■ ■ ■ (x — a k )g(x) (mod p), which completes 
the induction step. 

Section 4.2 

1. a. x = 6 (mod 7) b. x = 2, 5 or 8 (mod 9) c. x = 10 (mod 40) d. x = 20 (mod 25) 
e. x = 1 1 1 (mod 999) f. x = 75 + 80k (mod 1600) where k is an integer 
3. x = 1074 + 3157k (mod 28927591) 

5. 19 hours 

7. 77 solutions when c is a multiple of 77 
9. a. 13 b. 7 c. 5 d. 16 

11. a. 1, 7, 11, 13, 17, 19, 23, 29 b. Note that 1, 11, 19 and 29 are their own inverses; 7 and 13 are 
inverses of each other, as are 23 and 17. 

13. If ax + by = c (mod m), then there exists an integer k such that ax + by — mk — c. Because 
d | ax + by — mk, d \ c. Thus, there are no solutions when d / c. Now assume that d \ c and 
let a — da', b = db' , c = dc', and m = dm', so that (a', b', m') = 1. Then we can divide the 
original congruence by d to get (*) a'x + b'y = c' (mod m'), or a'x = c' — b'y (mod m'), which 
has solutions if and only if g — (a', m') \ c — b'y, which is equivalent to b'y = c' (mod g) 
having solutions. Because {a', b' , m') — 1, and {a', m') — g, we must have ( b ', g) — 1, and 
so the last congruence has only one incongruent solution y Q modulo g. But the m'/g solutions 
y 0 , J'o + £> Jo + . . . , yo + ( m '/S ~ 1 )g are incongruent modulo m'. Each of these yields g 

incongruent values of x in the congruence (*). Therefore, there are g(m'/g) — m' incongruent 
solutions to (*). 

Now let (x ls yi) be one solution of the original congruence. Then the d values x h xj + 
m', Xj + 2m', . . . , xi + (d — 1 )m' are congruent modulo m' but incongruent modulo m . Likewise, 
the d values y ls yj + m', y k + 2m', . . . , yj + (d — 1 )m' are congruent modulo m' but incongruent 
modulo m. So for each solution of (*), we can generate d 2 solutions of the original congruence. 
Because there are m' solutions to (*), we have d 2 m' — dm solutions to the original congruence. 

15. Suppose that x 2 = 1 (mod p k ), where p is an odd prime and k is a positive integer. Then 
x 2 — 1 = (x + l)(x — 1) = 0 (mod p k ). Hence, p k | (x + l)(x — 1). Because (x + 1) — (x — 1) = 2 
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and p is an odd prime, we know that p divides at most one of (x — 1) and (x + 1). It follows that 
either p k \ (x + 1) or p k \ (x - 1), so that p = ± 1 (mod p k ). 

17. To find the inverse of a modulo m, we must solve the Diophantine equation ax + my = 1, which 
can be done using the Euclidean algorithm. Using Corollary 2.5.1, we can find the greatest 
common divisor in O (log 3 m ) bit operations. The back substitution to find x and y will take 
no more than 0(log m) multiplications, each taking O (log 2 m) operations. Therefore, the total 
number of operations is O (log 3 m) + 0(log m)0( log 2 m) = O (log 3 m). 

Section 4.3 

1. x = 1 (mod 6) 

3. 32 + 60m 

5. x = 1523 (mod 2310) 

7. 204 
9. 1023 

11. x = 2101 (mod 2310) 

13. We can construct a sequence of k consecutive integers each divisible by a square as follows. Con- 
sider the system of congruences x = 0 (mod p\), x = — 1 (mod p 2 ), x = —2 (mod p 2 ), . . . ,x = 
—k + 1 (mod pf), where p k is the kth prime. By the Chinese remainder theorem, there is a 
solution to this simultaneous system of congruence because the moduli are relatively prime. It 
follows that there is a positive integer N that satisfies each of these congruences. Each of the k 
integers N, N + l, . . . , N + k — lis divisible by a square because p 2 . divides N + j — 1 for 
j = 1, 2, . . . , k. 1 

15. Suppose that x is a solution to the system of congruences. Then x = a x (mod m^, so 
that x = a x + km i for some integer k. We substitute this into the second congruence to 
get dj + km x = a 2 (modm 2 ) or km x = (a 2 — a x ) (mod m 2 ), which has a solution in k 
if and only if (m x , m 2 ) | (a 2 — a x ). Now assume such a solution k 0 exists. Then all in- 
congruent solutions are given by k = k 0 + m 2 t/(m x , m 2 ), where t is an integer. Then 
, /, m 2 t \ , mitn 2 

x = a x + km\ = a x + I k 0 -\ \m l = a l + k 0 m 1 -I 1. Note that 

\ (m h m 2 ) ) (m h m 2 ) 

m 1 m 2 /(m 1 , m 2 ) = [m h m 2 ], so that if we set x^ = + k 0 m h we have x = x± + [m l5 m 2 ]t = x 1 

(mod [mj, m 2 ]), and so the solution is unique modulo [m b m 2 ]. 

17. a. x= 430 + 2100; b. x = 9102 + 10010; 

19. First, suppose the system has a solution. Then for any distinct i and ;, there is a solution 
to the two-congruence system x = a t (mod m,), x = aj (mod ntj). By Exercise 15, we must 
have {m^ntj) \ (a ; — aj). For the converse, we proceed by mathematical induction on the 
number of congruences r. For r = 2, Exercise 15 shows that the system has a solution. 

This is the basis step. Now suppose the proposition is true for systems of r congruences 
and consider a system of r + 1 congruences. Let M — \m h m 2 , . . . , m r ]. By the induction 
hypothesis, the system of the the first r congruences has a unique solution A (mod M). 
Consider the system of two congruences x = A (mod M ), x = a r+x (mod m r+x ). A solution 
to this system will be a solution to the system of r + 1 congruences. Note that for i = 1 . . . r, 
we have (m ; , m r+1 ) | m r+l \ a t — a r+h and likewise (m ; , m r+1 ) | | (a t — A), because we 

must have A = a t (mod m ; ). Therefore, A = a r+x (mod (/n,-, m r+1 )), which is equivalent to 
A = a r+1 (mod [(mi, m r+x ), ( m 2 , /n r+1 ), . . . , ( m r , w r+1 )]). Check that this last modulus is 
equal to (Af, m r+x ). Then we have (M, m r+x ) \ ( A — a r+x ). Therefore, by the induction 
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hypothesis, the system x = A (mod M), x = a r+l (mod m r+x ) has a unique solution modulo 
[M, m r+1 ] = [m h m 2 , .... m r+ {\, and this is a solution to the system of r + 1 congruences. 

21. 2101 

23. 73,800 pounds 

25. 0000, 0001, 0625, 9376 

27. We need to solve the system x = 23 + 2 (mod 4 • 23), x = 28 + 1 (mod 4 • 28), * = 33 (mod 4 • 
33), where we have added 2 and 1 to make the system solvable under the conditions of Exercise 
19. The solution to this system is x = 4257 (mod 85008). 

29. every 85,008 quarter-days, starting at 0 

31. We examine each congruence class modulo 24. If x is congruent to an odd number modulo 24, 
then x = 1 (mod 2), so all the odd congruence classes are covered. Note that the congruence 
classes of 2, 6, 10, 14, 18, 22 are all congruent to 2 (mod 4). This leaves only 0, 4, 8, 12, 16, 20. 
0 = 0 (mod 24), 4 = 12 = 20 = 4 (mod 8), 8 = 8 (mod 12), and 16 = 1 (mod 3), so all congruence 
classes modulo 24 are covered. 

33. If the set of distinct congmences covers the integers modulo the least common multiple of the 
moduli, then that set will cover all integers. Examine the integers modulo 210, the l.c.m. of the 
moduli in this set of congruences. The first four congruences take care of all numbers containing 
a prime divisor of 2, 3, 5, or 7. The remaining numbers can be examined one at a time, and each 
can be seen to satisfy one (or more) of the congruences. 

35. most likely 318 inches 

37. x — 225a] + 1000a 2 + 576a 3 + 1800/:, where £ is an integer and a x is 3 or 7, a 2 is 2 or 7, and a 3 
is 14 or 18 

Section 4.4 

1. a. 1 or 2 (mod 7) b. 8 or 37 (mod 39) c. 106 or 233 (mod 343) 

3. 785 or 1615 (mod 2401) 

5. 184, 373, 562, 751, 940, 1129, and 1318 (mod () 1323) 

7. 3404 or 279 (mod 4375) 

9. two 

11. Because ( a , p ) = 1, we know that a has an inverse b modulo p. Let fix) — ax — 1. Then 
x = b (mod p) is the unique solution to fix) = 0 (mod p). Because fix) = a ^ 0 (mod p), we 
know that r = b lifts uniquely to solutions modulo p k for all natural numbers k. By Corollary 
4.14.1, we have that r k - r k _ x - f(r k -i)f'(b) - r k _ x - {ar k _ x - 1 )a - r k _ x - iar k _ x - 1 )b - 
r k _ i(l — ab) + b. This gives a recursive formula for lifting b to a solution modulo p k for any k. 

13. There are 1, 3, 3, 9, and 18 solutions for n = 1, 2, 3, 4, and 5, respectively. 

Section 4.5 

1. a. x = 2 (mod 5) and y = 2 (mod 5) b. no solutions c. x = 3 (mod 5), y = 0 (mod 5); x = 4 
(mod 5), y = 1 (mod 5); x = 0 (mod 5), y = 2 (mod 5); x = 1 (mod 5), y = 3 (mod 5); and x = 2 
(mod 5), y = 4 (mod 5). 

3. 0, 1, p, or p 2 

5. The basis step, where k — 1, is clear by assumption. For the inductive hypothesis, assume that 
A = B (mod m) and A* = B* (mod m). Then, A • A* = A • B* (mod m) by Theorem 4. 16. Further, 
A* +1 = A A* = A B* = B B* = B* +1 (mod m). 
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11. a. 5 b. 5 c. 5 d. 1 


13. In Gaussian elimination, the chief operation is to subtract a multiple of one equation or row from 
another, in order to put a 0 in a desirable place. Given that an entry a must be changed to 0 by 
subtracting a multiple of b, we proceed as follows: Let b be the inverse for b (modi:). Then 
a — (ab)b = 0, and elimination proceeds as for real numbers. If b doesn’t exist, and one cannot 
swap rows to get an invertible b, then the system is underdetermined. 

15. Consider summing the ith row. Let k — xn + y, where 0 < y < n. Then x and y must satisfy the 
Diophantine equation i = a + cy + ex (mod n), if k is in the ith row. Then x — ct and y + et 
is also a solution for any integer t. By Exercise 14, there must be n positive solutions that yield 
n numbers k between 0 and n 2 . Let s, s + 1, . . . , s + n — 1 be the values for t that give these 
solutions. Then the sum of the ith row is X!”= o( n ( x ~ c ( s + r )) + y + e ( s + r)) = n(n + 1), 
which is independent of i. 

Section 4.6 

1. a.7-19 b.29-41 c.41-47 d. 47 -173 e. 131-277 f. 29 • 1663 

3. Numbers generated by linear functions where a > 1 will not be random in the sense that 
x 2s ~ x s — ax 2s-i + b — (ax s _ l + b) — a(x 2 s-\ — x^,) is a multiple of a for all s. If a — 1, 
then x^ — x s = x 0 + sb. In this case, if x 0 7^ 0, then we will not notice if a factor of b that is not 
a factor of x 0 is a divisor of n. 

Section 5.1 

1. a. 256 = 2 8 b. 16 = 2 4 c. 1024 = 2 10 d. 2 = 2 1 

3. a. by 3 but not by 9 b. by both 3 and 9 c. by both 3 and 9 d. by neither 3 nor 9 

5. a. 2 1 = 2 b. 2° = 1 c. 2 6 = 64 d. 2° = 1 

7. a. no b. no c. yes d. yes 

9. a. by neither 3 nor 5 b. by both 3 and 5 c. by neither 3 nor 5 d. by 5 but not by 3 
11. if and only if the number of digits is a multiple of 3 (respectively, 9) 

13. if and only if the number of digits is a multiple of 6 in each case 

15. if and only if the number of digits is a multiple of d, where d \ b — 1 

17. A palindromic integer with 2k digits has the form (a k a k _\ . . . . . . a k )io- Using the test for 

divisibility by 1 1 developed in this section, we find that a k — a k _ x -\ ± aj a\ ± a 2 T * • ■ — 

a k = 0, and so (a k a k _ l . . . a]a]a 2 . . . a k )\o is divisible by 1 1. 

19. An integer a k a k _\ . . . a\a Q is divisible by 37 if and only if a Q a\a 2 + a 3 a 4 a 5 + a 6 a 7 a 8 H is; 

37/ 443692; 37 | 11092785 

21. a. no b. by 5 but not by 2 c. by neither 5 nor 13 d. yes 
23. 6 

25. a. no solutions b. 0, 3, 6, or 9 c. any digit is a solution d. 9 e. 9 f. no solutions 
27. no 
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29. First note that n — a k 10 k + a^lO* -1 H b + a 0 , so that (n - a 0 )/10 — (a k 10* + 

afc_ilO fc_1 H 1- ajlOJ/lO = a^lO* -1 H \-a x . Now suppose d \ n. Then n = a^lO* + 

+ • • • + ailO + a 0 — 10(a fc 10 fe_1 + 1- a{) + a 0 = 0 (mod d). Multiplying both 

sides by e, which is an inverse for 10 modulo d, gives us (a^lO* -1 H b a { ) + ea 0 = 0 

(mod d). Which is n! = (n — a 0 )/10 + ea Q = 0 (mod d). These steps are reversible, so we have 
that d | n if and only if d \ n! . 

To show the technique will work, we need to show that n, n' , (n')', ... is a decreasing 
sequence until we get a term that is not much bigger than d. Suppose that n > 10 d. Then, because 
#0 < 9, we have 9 n > 10 a 0 d. Because e is a least positive residue modulo d, we have e < d, so, in 
particular, 10c — 1 < lOd. Using this in the above inequality gives us 9 n > a 0 ( lOe — 1). Adding 
n to both sides gives us lOn >n —a 0 + 10ea 0 , or n > (n — a 0 )/10 + ea 0 = n' . This shows that 
the sequence generated will be decreasing at least until some term is less than 10<i, which we may 
examine by hand. 

31. a. Multiply the last digit by 4 and add this result to the number formed by deleting the last digit of 
the integer and repeat, b. Multiply the last digit by 2 and add this result to the number formed 
by deleting the last digit of the integer and repeat, c. Multiply the last digit by 2 and subtract this 
result from the number formed by deleting the last digit of the integer and repeat, d. Multiply 
the last digit by 8 and subtract this result from the number formed by deleting the last digit of the 
integer and repeat. 

33. a. 13 / 798; 19 | 798; 21 1 798; 27 / 798 b. 13 | 2340; 19 / 2340; 21 / 2340; 27 / 2340 c. 
13 / 34257; 19 | 34257; 21 / 34257; 27 / 34257. d. 13 / 348327; 19 | 348327; 21 1 348327; 
27 | 348327. 

Section 5.2 

1. Happy Birthday! 

3. twice 

5. W=k + [2.6 m - 0.2] -2C + Y + [7/4] + [C/4] - [C/40] (mod 7). 

7. answer is person dependent 

9. 2500 

11. If the 13th falls on the same day of the week on two consecutive months, then the number of days 
in the first month must be congruent to 0 modulo 7, and the only such month is February during 
non-leap year. If February 13th is a Friday, then January 1st is a Thursday. 

13. In the perpetual calendar formula, we let W — 5 and k — 13 to get 5 = 13 + [2.6m - 0.2] - 2C + 
Y + [7/4] + [C/4] (mod 7). Then [2.6m - 0.2] = 6 + 2C - 7 - [7/4] - [C/4] (mod 7). We 
note that as the month varies from March to December, the expression [2.6m — 0.2] takes on 
every residue class modulo 7. So regardless of the year, there is always an m which makes the left 
side of the last congruence congruent to the right side. 

15. The months with 31 days are March, May, July, August, October, December, and January, which 
is considered in the previous year. The corresponding numbers for these months are 1, 3, 5, 6, 

8, 10, and 12. Given 7 and C, we let k = 31 in the perpetual calendar formula and get W = 

31 + [2.6m - 0.2] - 2C + 7 + [7/4] + [C/4] = 3 + [2.6m - 0.2] - 2C + 7 + [7/4] + [C/4] 
(mod 7). To see which days of the week the 31st will fall on, we let m take on the values 1, 3, 5, 
6, 8, 10 and reduce. Finally, we decrease the year by 1 (which may require decreasing the century 
by 1) and let m take on the value 12 and reduce modulo 7. The collection of values of W tells us 
the days of the week on which the 31st will fall. 
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Section 5.3 

1. a. Teams i and j are paired in round k if and only if i + j = k (mod 7) with team i drawing a bye 
if 2 i = k (mod 7). Round 1: 1-7, 2-6, 3-5, 4-bye; round 2: 2-7, 3-6, 4-5, 1-bye; round 3: 1-2, 
3-7, 4-6, 5-bye; round 4: 1-3, 4-7, 5-6, 2-bye; round 5: 1-4, 2-3, 5-7, 6-bye; round 6: 1-5, 2- 
4, 6-7, 3-bye; round 7: 1-6, 2-5, 3-4, 7-bye. b. Teams i and j are paired in round k if and 
only if i + j = k (mod 7), i, j ^ 8; team i plays team 8 if 2 i = k (mod 7). c. Teams i and j are 
paired in round k if and only if i + j = k (mod 9), with team i drawing a bye if 2 i = k (mod 9). 
d. Teams i and j are paired in round k if and only if i + j = k (mod 9), i, j ^ 10; team i plays 
team 10 if 2 i = k (mod 9). 

3. a. home teams in round 1: 4 and 5; round 2: 2 and 3; round 3: 1 and 5; round 4: 3 and 4; round 5: 
1 and 2 b. home teams in round 1: 5, 6, and 7; round 2: 2, 3, and 4; round 3: 1, 6, and 7; round 
4: 3, 4, and 5; round 5: 1, 2, and 7; round 6: 4, 5, and 6; round 7: 1, 2, and 3 c. home teams in 
round 1: 6, 7, 8, and 9; round 2: 2, 3, 4, and 5; round 3: 1, 7, 8, and 9; round 4: 3, 4, 5, and 6; 
round 5: 1, 2, 8, and 9; round 6: 4, 5, 6, and 7; round 7: 1, 2, 3, and 9; round 8: 5, 6, 7, and 8; 
round 9: 1, 2, 3, and 4 

Section 5.4 

1. Let k be the six-digit number on the license plate of a car. We can assign this car the space numbered 
h(k) = k (mod 101), where the spaces are numbered 0, 1, 2, ... , 100. When a car is assigned the 
same space as another car we can assign it to the space h (k) + g(k) where g(k) = k + 1 (mod 99) 
and 0 < g(k) < 98. When this space is occupied, we next try h(k) + 2 g(k), then h(k) + 3 g(k), 
and so on. All spaces are examined because ( g(k ), 101) = 1. 

3. a It is clear that m memory locations will be probed as j* — 0, 1, 2, . . . , m — 1. To see that 
they are all distinct, and hence every memory location is probed, assume that h t (K) = hj(K) 
(mod m). Then h(K ) + iq = h(K ) + jq (mod m). From this it follows that iq = jq (mod m), 
and as ( q , m) = 1, i = j (mod m) by Corollary 4.5.1. And so i = j because i and j are both less 
than m. b. It is clear that m memory locations will be probed as j — 0, 1, 2, . . . , m — 1. To see 
that they are all distinct, and hence every memory location is probed, assume that h t {K) = hj(K) 
(mod m). Then h(K) -f iq = h(K ) + jq (mod m). From this it follows that iq = jq (mod m), 
and as ( q , m) — \,i = j (mod m) by Corollary 4.5.1. And so i — j because i and j are both less 
than m. 

5. 558, 1002, 2174, 4035 

Section 5.5 

1. a. 0 b. 0 c. 1 d. 1 e. 0 f. 1 

3. a. 0 b. 1 c. 0 

5. a. 7 b. 1 c. 4 

7. Transposition means that adjacent digits are in the wrong order. Suppose, first, that the first 
two digits, x 1 and x 2 , or equivalently, the fourth and fifth digits, are exchanged, and the error 
is not detected. Then x 7 = lx x + 3x 2 + x 3 + 7x 4 + 3x 5 + x 6 = lx 2 + 3x x + x 3 + lx 4 + 3x 5 + x 6 
(mod 10). It follows that 7x x + 3x 2 = lx 2 + 3x x (mod 10) or 4x x = 4x 2 (mod 10). By Corollary 
4.5.1, we see that x x = x 2 (mod 5). This is equivalent to \ x x — x 2 |= 5, as x x and x 2 are single 
digits. Similarly, if the second and third (or fifth and sixth) digits are transposed, we find that 
2x 2 = 2x 3 (mod 10), which again reduces to x 2 = x 3 (mod 5) by Corollary 4.5.1. Also, if the third 
and fourth digits are transposed, we find that 6x 3 = 6x 4 (mod 10) and x 3 = x 4 (mod 5), similarly 
as before. The reverse argument will complete the proof. 
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9. a. 0 b. 3 c. 4 d. X 

11. a. valid b. not valid c. valid d. valid e. not valid 

13. 0-07-289905-0 

15. a. no b. yes c. yes d. no 

17. It can. 

19. a. valid b. not valid c. valid d. not valid e. valid 

21. Let c,- = 1 if i is odd and c t = 3 if i is even, for i = 1, 2, ... 13. Then x c,a, = 0 (mod 10). 

Suppose that one digit, say, a k , of an ISBN-13 code is misread as b ^ a t . To get a contradiction, 

suppose that when the above congruence is changed by replacing a k by b the sum is still congruent 
to 0 modulo 10. If we subtract these two congruences, we get c k (a k — b) = 0 (mod 10). Because 
both 1 and 3 are relatively prime to 10, we can multiply both sides by c^ 1 , which gives us 
a k — b = 0 (mod 10). But because a k and b are both integers between 0 and 9, we must have 
a k = b, contradicting the assumption that b a k . Therefore, any single error is detected by the 
code. 

23. a. yes b. no 

25. a. 94 b. If x t is misentered as y h then if the congruence defining jc 10 holds, we see that ax { = ay t 

(mod 1 1) by setting the two definitions of x 10 congruent. From this, it follows by Corollary 
4.5.1 that jc,- = y t (mod 11) and so x t = y t . If the last digit, x n , is misentered as y n , then the 
congruence defining x n will hold if and only if x n — y u . c. Suppose that x t is misentered as 
y t and xj is misentered as yj, with i < j < 10. Suppose both of the congruences defining jc 10 
and x n hold. Then by setting the two versions of each congruence congruent to each other, we 
obtain ax t + bxj = ay t + byj (mod 1 1) and cx t + dxj = cy t + dy j (mod 1 1) where a^b.li it is 
the case that ad — be ^ 0 (mod 1 1), then the coefficient matrix is invertible and we can multiply 
both sides of this system of congruences by the inverse to obtain x t = y t and xj = yj. Indeed, 
after (tediously) checking each possible choice of a, b, c, and d, we find that all the matrices are 
invertible modulo 11. 

27. a. 1 b. 1 c. 6 

29. Errors involving a difference of 7 cannot be detected: 0 for 7, 1 for 8, 2 for 9, or vice versa. All 
others can be detected. 

31. a. 1 b. X c. 2 d. 8 

33. Yes. Assume not and compare the expressions modulo 1 1 to get a congruence of the form 
ad i + bdj = adj + bd t (mod 11), which reduces to (a — b)d t = (a — b)dj (mod 11). Because 

0 < a — b < 11 and 11 is prime, it follows that d { = dj (mod 11). Because these digits are 
between 0 and X, they must be equal. 

Section 6.1 

1. Note that 10! + 1 = 1(2 • 6)(3 • 4)(5 • 9)(7 -8)10+1 = 1-12-12-45-56-10-1- 1 = 1-1-1-1- 

1 - (-1) + 1 = 0 (mod 11). Therefore, 11 divides 10! + 1. 

3. 9 

5. 6 

7. 436 

9. 2 

11. 6 

13. (3 5 ) 2 = 243 2 = l 2 = 1 (mod ll 2 ). 
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15. a.x = 9 (mod 17) b. x = 17 (mod 19) 

17. Suppose that p is an odd prime. Then Wilson’s theorem tells us that (p — 1)! = — 1 (mod p). 
Because (p - 1)! = (p - 3 )!(p - 1 )(p - 2) = (p - 3) !(— 1)(— 2) = 2 • (p - 3)! (mod p), this 
implies that 2 • (p — 3) ! = — 1 (mod p). 

19. Because (a, 35) = 1, we have (a, 7) = (a, 5) = 1, so we may apply Fermat’s little theorem to 
get a 12 - 1 = (a 6 ) 2 — 1=1 2 — 1 = 0 (mod 7) and a 12 - 1 = (a 4 ) 3 - 1 = l 3 - 1 = 0 (mod 5). 
Because both 5 and 7 divide a 12 — 1, then 35 must also divide it. 

21. When n is even, so is n 7 , and when n is odd, so is n 1 . It follows that n 1 = n (mod 2). Furthermore, 
because n 3 = n (mod 3), it follows that n 1 — (n 3 ) 2 ■ n = n 2 ■ n = n 3 = n (mod 3). We also know 

by Fermat’s little theorem that n 1 = n (mod 7). Because 42 = 2 • 3 • 7, it follows that n 1 = n 

(mod 42). 

23. By Fermat’s little theorem, Yfk=\ = XX=i 1 = P — 1 (mod p). 

25. By Fermat’s little theorem, we have a = a p = b p = b (mod p); hence, b — a + kp for some 

integer k. Then by the binomial theorem, b p = (a + kp) p = a p + ( P l )a p ~ 1 kp + p 2 N, where N is 
some integer. Then b p =a p + p 2 a p ~ 1 k + p 2 N = a p (mod p 2 ), as desired. 

27. 641 

29. Suppose that p is prime. Then by Fermat’s little theorem, for every integer a , a p = a (mod p), 
and by Wilson’s theorem, (p — 1)! = — 1 (mod p), so that a(p — 1)! = — a (mod p). It follows 
that a p + (p - l)!n = a + (- a ) = 0 (mod p). Consequently, p \[a p + (p - l)!a]. 

31. Because p — 1 = —1, p — 2= —2, . . . , {p — l)/2 = — (p — l)/2 (mod p), we have ((p - l)/2) ! 2 
= — (p — 1)! = 1 (mod p). (Because p = 3 (mod 4) the minus signs work out.) If x 2 = 1 (mod p), 
then p | x 2 — 1 = (x — l)(x + 1), so x = ±1 (mod p). 

33. Suppose that p = 1 (mod 4). Let y = ±[(p — l)/2]!. Then y 2 = [(p - l)/2]! 2 = [(p - 
l)/2]! 2 (-l)^- 1 V2 = (1 . 2 • 3 ■ • ■ (p - l)/2)(— 1 • (-2) ■ (-3) • • • (-(p - l)/2)) = 1-2- 
3 • • • (p — l)/2 • (p + l)/2 • • • (p - 3 )(p - 2 )(p - 1) = (p - 1) ! = - 1 (mod p), where we 
have used Wilson’s theorem. Now suppose that x 2 = — 1 (mod p). Then x 2 = y 2 (mod p) where 
y = [(p — l)/2]!. Hence, (x 2 — y 2 ) = (x — y)(x + y) (mod p). It follows that p I (x — y) or 
P I + y) so that x = ±y (mod p). 

35. If n is composite and n/4, then Exercise 16 shows that (n — 1)1/ n is an integer, so 
[((n - 1)! + l)/n - [(n - 1) !/«]] = [(n - l)!/n + 1/n - (n - 1) !/n] = [1 /n] = 0, and if n = 4, 
then the same expression is also equal to 0. But if n is prime, then by Wilson’s Theorem 
(n - 1)! = Kn — 1 for some integer K. So [((n - 1)! + 1 )/n - [(/i - l)!/n]] — [(Kn - 1 + 

1 )/n — [( Kn — 1 )/nJ = [K — (K — 1)] = 1. Therefore, the sum increases by 1 exactly when n is 
prime, so it must be equal to n(n). 

37. Let n — 4k + r with 0 < r < 4. Then by Fermat’s little theorem, we have b n = b 4k+r = 
(b 4 ) k b r = 1 k b r = b r (mod 5) for any integer b. Then 1" + 2" + 3" + 4" = Y + 2 r + 3 r + 4 r 
(mod 5). We consider each of the 4 possibilities for r. If r = 0, then Y + 21 + 3 r + 4 r = 

1+ 1+ 1+ 1 = 4 (mod 5). If r — 1, then l r + 2'' + 3'‘+4'‘ = l + 2 + 3 + 4 = 0 (mod 5). If r — 2, 
then Y + 2 r + 3 r + 4 r = 1 + 4 + 9 + 16 = 30 = 0 (mod 5). If r = 3, then Y + 2 r + 3 r + 4 r = 

1 + 8 + 27 + 64 = 1 + 3 + 2 + 4 = 0 (mod 5). So 5 divides 1" + 2" + 3" + 4" if and only if r — 0, 
that is, if and only if 4 | n. 

39. Suppose that n and n + 2 are twin primes. By Wilson’s theorem, n is prime if and only if 
(n — 1)! = — 1 (mod n). Hence, 4[(n — l)!+l] + /i = 4- 0 + /i = 0 (mod n ). Also, because 
n + 2 is prime, by Wilson’s theorem it follows that (n + 1)! = — 1 (mod n + 2), so that 
(n + \)n ■ (n - 1)! = (— 1)(— 2)(n - 1) ! = 2{n - 1) ! = - 1 (mod n + 2). Hence, 4[(n - 1) ! + 1] + 
n = 2(2 • (n — l)!)+4 + n = 2-(— l)+4 + n = /z + 2 = 0 (mod n + 2). Because ( n , n + 2) = 1, 
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it follows that 4[(n — 1)! + 1] + n = 0 (mod n(n + 2)). The converse follows for n odd, by 
reversing these calculations. For n even, it’s easy to check that one of the congruences in the 
system fails to hold. 

41. We have 1 • 2 • • • (p — 1) = (p + l)(p + 2) • • • (2 p - 1) (mod p). Each factor is prime to 
P, so 1 = ((p + 1 )(p + 2) ••• (2 p- 1))/(1 • 2 • • • (p - 1)) (mod p). Thus, 2 = ((p + 1 )(p + 
2) • • • (2 p- 1)2/?)/ (1 • 2 ■ ■ ■ (p - 1 )p) = ( 2 P) (mod p). 

43. We first note that \ p = 1 (mod p). Now suppose that a p = a (mod p). Then by Exercise 42, we 
see that (a + \) p = a p + 1 (mod p). But by the inductive hypothesis a p = a (mod p), we see that 
a p + 1 = a + 1 (mod p). Hence, (a + \) p = a + 1 (mod p). 

45. a. If c < 26, then c cards are put into the deck above the card, so it ends up in the 2cth position 
and 2c < 52, so b = 2c. If c > 26, then the card is in the c — 26th place in the bottom half of the 
deck. In the shuffle, c — 26—1 cards are put into the deck above the card, so it ends up in the 
b — (c - 26 + c - 26 - l)th place. Then b — 2c -53 = 2c (mod 53). b. 52 

47. Assume without loss of generality that a p = b p = 0 (mod p). Then by Wilson’s theorem, 
a i a 2 ■ • • a p -\ = b\b 2 ■ ■ ■ b p - 1 'm -1 (mod p). Then a x b x ■ ■ ■ a p _ x b p -i = (-1) 2 = 1 (mod p). 

If the set were a complete system, the last product would be = — 1 (mod p). 

49. The basis step is omitted. Assume (p — \) pk ~ l = -1 (mod p fe ).Then(p - \) pk = ((p - \) pk ~') p = 

(-1 + mp k ) p = -1 + (i)mp k H 1- ( mp k ) p = -1 (mod p k+l ), where we have used the fact 

that p | (^) for j / Oor p. 

51. First suppose n is prime. Then from Exercise 72 in Section 3.5, we have (£) is divisible by 
n for k = 1, 2, 3, . . . , n — 1. Then by the binomial theorem, (x — a) n — x n — (”)x n-1 a + 

(")x n ~ 2 a 2 H b (— a) n = x n + (—a)" (mod n), because all the binomial coefficients, except 

the first and last, are divisible by n. Then by Fermat’s little theorem, because (n, —a) = 1, 
we have x n + (— a) n =x n — a (mod n), so these two polynomials are congruent modulo n 
as polynomials. Conversely, suppose n is not prime and let p be the smallest prime dividing 
n, and let q = p“ 1 1 n . Looking at the expression above, it suffices to show that one of the 
binomial coefficients is not divisible by q, and hence not divisible by n. Let n = mq. Then 

— — — . Because q is the highest 

q | (n — b), for b = 1, 2, . . . , q — 1, 
then q \ b, but 1 < b < q — 1, a contradiction. Therefore, q doesn’t divide the numerator of the 
fraction, and so neither does n. Therefore, (”) ^ 0 (mod n). Because the coefficient of x q is 0 in 
x n — a, these two polynomials cannot be congruent modulo n as polynomials. 

Section 6.2 

1. 3 90 = 1 (mod 91), but 91 = 7 • 13 
3. 2 161038 = 2 (mod 161038) 

5. (n — a) n = (—a) n = — ( a n ) = —a = (n — a) (mod n) 

7. Raise the congruence 2 2m = - 1 (mod F m ) to the 2 2m_m th power, to obtain 2 22 = 1 (mod 2 2m + 1) , 
which says that 2 Fm ~ 1 = 1 (mod F m ). 

9. Suppose that n is a pseudoprime to the bases a and b. Then b n = b (mod n) and a n =a (mod n). 
It follows that ( ab) n = a n b n = ab (mod n). Hence, n is a pseudoprime to the base ab. 

11. If (i ab) n ~ l = 1 (mod n), then, 1 = a n ~ l b n ~ l = 1 • b n ~ l (mod n), which implies that n is a 
pseudoprime to the base b, a contradiction. 


( n \ = n(n-l)---(n-(q- 1)) _ m(n - 1) • • • (n - 

\q) q'- (q~ 1)1 

power of p dividing n, we have (q,m) = 1. Further, if 
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13. A computation shows 2 1387 = 2 (mod 1387), so 1387 is a pseudoprime. But 1387 - 1 = 2- 693 
and 2 693 = 512 (mod 1387), which is all that must be checked, because 5=1. Thus, 1387 fails 
Miller’s test and hence is not a strong pseudoprime. 

15. Note that 25326001 - 1 = 2 4 1582875 = 2 s t and with this value off, 2' = -1 (mod 25326001), 3 1 = 
-1 (mod 25326001), and 5 1 = 1 (mod 25326001). 

17. Suppose c = 7 ■ 23 • q, with q an odd prime, is a Carmichael number. Then by Theorem 
6.7, we must have (7 — l)|(c — 1), so c — 1 ■ 23 • q = 1 (mod 6). Solving this yields q = 5 
(mod 6). Also, we must have (23 — 1) | (c — 1), so c — 7 • 23 • q = 1 (mod 22). Solving this yields 
<7 = 19 (mod 22) If we apply the Chinese remainder theorem to these two congruences, we 
obtain q = 41 (mod 66), that is, q — 41 + 66 k. Then we must have (q — l)|(c — 1), which 
is (40 + 66k) | (7 • 23 • (41 + 66 k) — 1. So there is an integer m such that m(40 + 66 k) — 

6600 + 10626k = 160 + 6440 + 10626k = 160 + 161(40 + 66k). Therefore, 160 must be a 
multiple of 40 + 66k, which happens only when k = 0. Therefore, q — 41 is the only such prime. 

19. Wehave 321, 197, 185- 1 = 321,197,184 = 4-80,299,296= 18-17,844,288 = 22-14,599,872 = 
28 • 11,471,328 = 36 • 8,922,144 = 136 • 2,361,744, so p - 1|321, 197, 185 - 1 for every prime 
p which divides 321,197,185. Therefore, by Theorem 6.7, 321,197,185 is a Carmichael number. 

21. We can assume that b < n. Then b has fewer than log 2 n bits. Also, t < n so it has fewer than log 2 n 
bits. It takes at most log 2 n multiplications to calculate b 2 \ so it takes O (log 2 n) multiplications to 
calculate b 2 '° g2 ‘ = b 1 . Each multiplication is of two log 2 n bit numbers, and so takes 0(( log 2 n) 2 ) 
operations. So all together we have 0((log 2 n) 3 ) operations. 

Section 6.3 

1. a. 1, 5 b. 1, 2, 4, 5, 7, 8 c. 1, 3, 7, 9 d. 1, 3, 5, 9, 11, 13 e. 1, 3, 5, 7, 9, 11, 13, 15 
f. 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 

3. If (a, m) — 1, then (—a, m) — 1, so — c,- must appear among the Cj. Also q- — q- (modm), or 
else 2 q = 0 (mod m ) and so (q, m) ^ 1. Hence, the elements of in the sum can be paired so that 
each pair sums to 0 (mod m), and thus the entire sum is 0 (mod m). 

5. 1 

7. 11 

9. Because a 2 = 1 (mod 8) whenever a is odd, it follows that a 12 = 1 (mod 8) whenever (a , 327 60) = 

1. Euler’s theorem tells us that = a 6 = 1 (mod 9) whenever ( a , 9) = 1, sothata 12 = (a 6 ) 2 = 1 

(mod 9) whenever (a, 32760) = 1. Furthermore, Fermat’s little theorem tells us that a 4 = 1 
(mod 5) whenever (a, 5) = 1, a 6 = 1 (mod 7) whenever (a, 7) = 1, and a 12 = 1 (mod 13) 
whenever (a, 13) = 1. It follows that a 12 = (a 4 ) 3 = 1 (mod 5), a 12 = (a 6 ) 2 = 1 (mod 7), and 
a 12 = 1 (mod 13) whenever (a, 32760) = 1. Because 32760 = 2 3 3 2 -5-7-13 and the moduli 
8, 9, 5, 7, and 13 are pairwise relatively prime, we see that a 12 = 1 (mod 32760). 

11. a. x = 9 (mod 14) b. x = 13 (mod 15) c.x = l (mod 16) 

13. For a particular i — 1, 2, . . . k, note that 0(w) = 0(pi)0(p 2 ) • • • 4>(Pk) =4>(Pi)N for some integer 
N. Then, by Euler’s theorem, a^ (n)+1 = a ^ {Pi)N+l = a^ {Pi)N a = 1 N a = a (mod p t ). This gives us 
a set of k linear congruences with moduli mutually relatively prime. So by the Chinese remainder 
theorem, the unique solution to the system modulo n is a. So a (t ‘ M+] = a (mod n). 

15. a.* = 37 (mod 187) b.* =23 (mod 30) c.x = 6 (mod 210) d.x = 150,999 (mod 554,268). 

17. 1 

19. 0(13) = 12, 0(14) = 6, 0(15) = 8, 0(16) = 8, 0(17) = 16, 0(18) = 6, 0(19) = 18, 0(20) = 8 
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21. If (a, b) — 1 and (a, b — 1) = 1, then a | ( b k ' ^ — 1 )/(b — 1), which is a base b repunit. If (a, b — 
1) = d > 1, then d divides any repunit of length k(b — 1), and (a/d) \ (b k ^ a ^ — 1 )/(b — 1) and 
these sets intersect infinitely often. 

23. Let a h a 2 , . . . , a r be the bases to which n is a pseudoprime and for which (a t , n) = 1 for each i. 
Then by part (a), we kiow that, for each i,n is not a pseudoprime to the base ba t . Thus, we have 
2r different elements relatively prime to n. Then by the definition of <fi(n), we have r < (pin)/ 2. 

Section 7.1 

1. a. Because for all positive integers m and n, f(mri) — 0 — 0-0 — f(m ) ■ fin), f is completely 

multiplicative. b. Because /( 6) = 2, but /(2) • /(3) = 2 ■ 2 = 4, / is not completely 

multiplicative, c. Because /( 6) = 3, but /( 2) • /( 3) = §•§ = §> / is not completely 

multiplicative, d. Because /( 4) = log(4) > 1, but /( 2) • /( 2) = log(2) • log(2) < 1, / is 

not completely multiplicative, e. Because for any positive integers m and n, f(mn) — 

( mn ) 2 — m 2 n 2 — f(m) • fin), f is completely multiplicative, f. Because /(4) = 4! = 24, 
but /( 2) • /(2) = 2!2! = 4, / is not completely multiplicative, g. Because /(6) = 7, but 
/(2) • /(3) = 4 • 3 = 12, / is not completely multiplicative h. Because /( 4) = 4 4 = 256, but 
/ (2) • / (2) = 2 2 2 2 = 16, / is not completely multiplicative, i. Because for any positive integers 
m and n, fimn) = y/rnn = = /(m) • fin), f is completely multiplicative. 

3. We have the following prime factorizations of 5186, 5187, and 5188: 5186 = 2 • 2593, 

5187 = 3 • 7 • 13 • 19, and 5188 = 2 2 1297. Hence, 0(5186) = 0(2)0(2593) = 1 • 2592 = 2592, 
0(5187) = 0(3)0(7)0(13)0(19) = 2 • 6 • 12 • 18 = 2592, and 0(5188) = 0(2 2 )0(1297) = 

2 • 1296 = 2592. It follows that 0(5186) = 0(5187) = 0(5188). 

5. 7, 9, 14, 18 

7. 35, 39, 45, 52, 56, 70, 72, 78, 84, 90 

9. 0(2/i) 

11. multiples of 3 

13. powers of 2 greater than 1 

15. If n is odd, then (2, n) — 1 and 0(2n) — 0(2 )0(n) = 1 • 0(n) = 0(n). If n is even, say n — 2 s t 
with t odd. Then 0(2 n) = 0(2* +1 r) = 0(2* +1 )0(f) = 2 '0(0 = 2(2 i “ 1 0(O) = 2(0(2*)0(O) = 
2(0(2'O) = 20(n). 

17. n — 2 k pip 2 ■ ■ ■ p r where each p t is a distinct Fermat prime. 

19. Letn — p\ l ■ ■ ■ p a r r be the factorization for n. If n — 20 in) then, p\ l ■ ■ ■ p“ r — 2 1~Ij = i pJ V Pj ~ 
1). Cancelling the powers of all pf s yields p\ - ■ ■ p r — 2 \Yj=\iPj ~ !)• If any pj is an odd prime, 
then the factor ipj — 1) is even and must divide the product on the left-hand side. But there can 
be at most one factor of 2 on the left-hand side and it is accounted for by the factor of 2 in front 
of the product on the right-hand side. Therefore, no odd primes appear in the product. That is, 
n — 2-i for some j. 

21. Because (m, n) = p, p divides one of the terms, say, n, exactly once, so n=kp with 
(m, k) = 1 = in, k). Then 0(n) =4>ikp) = (pik)cpip) = 0(£)(p - 1), and 0(mp) = p0(m) by 
the formula in Example 7.7. Then 0(mn) = tpimkp) — 0(mp)0(&) = (p0(m))(0(n)/(p - 1)). 

23. Let pi, ■ ■ ■ , p r be those primes dividing a but not b. Let q h ■ ■ ■ , q s be those primes dividing b 
but not a. Let r h ■ ■ ■ r t be those primes dividing a and b. Let P — ]~[(1 — y), Q — fid — ^r) and 
R = na- ^). Then we have 4>{ab) =abPQR = aPR ^ R = ^MW .But 0((a, b)) = (a, b)R, 
so R — anc * we f* ave 0( fl £) — . as desired. The final conclusion 

now follows from the fact that 0 ((a, b)) < (a, b) when (a, b) > 1. 
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25. Assume there are only finitely many primes, 2, 3, . . . , p. Let N — 2 • 3 • 5 • • • p. Then 
<p(N) = 1 because there is exactly one positive integer less than N that is relatively prime to 
N, namely, 1, because every prime is a factor of N . However, 0(7V) = 0(2)0 (3)0 (5) • • • 0(p) = 
1 • 2 • 4 • • • (p — 1) > 1. This contradiction shows that there are infinitely many primes. 


27. From the formula for the 0 function, we see that if p\n, then p — l|/c. Because k has only finitely 
many divisors, there are only finitely many possibilities for prime divisors of n. Further, if p 
is prime and p a \n, then p a ~ l \k. Hence, a < log p (fc) + 1. Therefore, each of the finitely many 
primes which might divide n may appear to only finitely many exponents. Therefore, there are 
only finitely many possibilities for n. 


29. As suggested, we take k — 2 • 3 6 * +1 with j > 1, and suppose that 0(n) = k. From the formula 
for 0(n), we see that 0(«) has a factor of (p — 1), which is even, for every odd prime 
that divides n. Because there is only one factor of 2 in k, there is at most one odd prime 
divisor of n. Because k is not a power of 2, we know that an odd prime p must divide 
n. Further, because 2 || k, we know that 4 / n. So n is of the form p a or 2 p a . Recall that 
0(p“) = 0(2p“). It remains to discover the value of p. If a — 1, then 0(p“) = p — 1 = 2 • 3^ +l . 
But then p = 2 • 3 6 ' +1 + 1 = 6- (3 V + 1 = (-1)(1) 7 ' + 1 = 0 (mod 7). Hence, p = 7. But 
0 (7) = 6 = 2 • 3 6 i +1 implies that j = 0, contrary to hypothesis, so this is not a solution. Therefore, 
a > 1 and we have 0(p“) = (p — 1 )p a_1 = 2 • 3 6 - 7 " 1 " 1 , from which we conclude that p = 3 and 
a — 6j +2. Therefore, the only solutions are n — p 6 i +1 and n — 2p 6 -> +2 . 

31. Ifn = p r m, then 0(p r m) = ( p r - p r_1 )0(m) | ( p r m — l),andhencep | lorr = 1. So n is square- 
free. If n = pq, then (p(pq) = (p - 1 )(q - 1) | ( pq - 1). Then (p - 1) | ( pq - 1) - (p - 1 )q = 
q — 1. Similarly, (q — 1) | (p — 1), a contradiction. 


33. Let n = p^p 2 2 ■ ■ ■ p k k . Let P t be the property that an integer is divisible by p,-. Let S be the 
set {1, 2, . . . , n — 1}. To compute 0(n), we need to count the elements of S with more of the 
properties P h P 2 , ■ ■ ■ , Pk ■ Let n{P iv P i2 , • • • , P t ) be the number of elements of S with all of 

~ . By Exercise 24 of Section 3.1, 


Pi x Pi 2 "'Pi m 
+ 


properties P ir P i2 , ■ ■ ■ , P im . Then n(P ix , ■ • ■ P im ) — 
wehave«n) = n-(A+ £ + 

"(1 - E„|„ j: + |, ^ - Ep Wh 5+57 + ■ ■ ■ + <-l)‘5+7>- On the other 

hand, notice that each term in the expansion of (1— ^-)(1 — ^) • • • (1 — is obtained 
by choosing either 1 or — from each factor and multiplying the choices together. This 


gives each term the form 

i + e p , p , ist — ■ (-d^) = 


Note that each term can occur in only one way. Thus, 

—k (_l)k_n — ) 

[Pi 2 Pi lP‘2 P\—Pk’ 


35. Note that 1 < 0(m) < m — 1 for m > 1. Hence if n > 2, n > nj > n 2 > ■ ■ • > 1 where n f = 0(n) 
and n i — 0(n,_ 1 ) for i > 1. Because n t , i = 1, 2, 3, ... is a decreasing sequence of positive 
integers, there must be a positive integer r such that n r = 1. 


37. Note that the definition of f * g can also be expressed as (/ * g)(n) = Yla-b= n f( a )g(b)- Then 
the fact that f * g — g * f is evident. 


39. a. If either m > 1 or n > 1, then mn > 1 and one of i(m) or i(n) is equal to zero. Then 
i{mn) — 0 = t(m)i(n). Otherwise, m — n — l and we have i{mn) = 1=1-1 = i(m)t(n). 
Therefore, i(n) is multiplicative, b. (i * f)(n) — J^d\n L (d)fQ ) = i(l)/(j) = f(n) because 
i(d) — 0 except when d — 1 .(/ * i)(n) — (i * f)(n ) = f(n) by Exercise 37. 

41. Let h — f * g and let (m, n) — 1. Then h(mn ) = f(d)g(rj-). Because (m, n) = 1, each 

divisor d of mn can be expressed in exactly one way as d — ab where a \ m and b\n. Then 
(a, b) — 1 and (^, | ) = 1. Then there is a one-to-one correspondence between the divisors d of 
mn and the pairs of products ab where a \ m and b\n. Then 
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h(mn) = T f(ab)g ( = T fia)fib)gi~)g£) 

^ ab ^ a b 
b\n b\n 

- f(a)g(~) f( b )s(~) = h(m)h(n), 

a\m a b\n 

as desired. 

43. a. -1 b. -1 c. 1 d. 1 e. -1 f.-l g. 1 

45. Let fin) = J2d\n *(<*)• Suppose p‘ || n. Then fip 1 ) = A(l) + kip) + kip 2 ) + • • • + kip 1 ) = 

1 - 1 + 1 1- (-1)* = 0 if t is odd and equal to 1 if t is even. Note that fin ) = fip‘b) = 

T,d\n *(d) = Eel b He)ikil) + kip) H kip 1 )) = fib) fip 1 ). By induction, this shows that 

/ is multiplicative. Then fin) = fip^p^ 2 * • • P, r ) = FI /(pf‘) = 0 if any a,- is odd (n is not a 
square) and equal to 1 if all a t are even (n is a square). 

47. If / and g are completely multiplicative and m and n are positive integers, then we have 
ifg)imn) - fimn)gimn) - /(m)/(n)g(m)g(n) - /(m)g(m)/(n)g(n) = ifg)im)ifg)in), 
so fg is also completely multiplicative. 

49. fimn) = log mn = log m + log n = fim) + fin) 

51. a. 2 b. 3 c. 1 d. 4 e. 8 f. 15 

53. Let im, n) = 1. Then by the additivity of /, we have fimn) = fim) + fin). Then gimn) = 

2 /(»») — — gim)gin). 

Section 7.2 

1. a. 48 b. 399 c. 2340 d. 2 101 - 1 e.6912 f. 813, 404, 592 g. 15, 334, 088 

h. 13, 891, 399, 238, 731, 734, 720 

3. perfect squares 

5. a. 6, 1 1 b. 10, 17 c. 14, 15, 23 d. 33, 35, 47 e. none f. 44, 65, 83 

7. Note that r ip k ~ l ) = k whenever p is prime and & is a positive integer k > 1. Hence, the equation 
Tin) = k has infinitely many solutions. 

9. squares of primes 
11. n*W' 2 

13. a. The nth term is cr (2n). b. The nth term is o(n) — r(n). c. The nth term is the least positive 
integer m with r (w ) = n . d. The nth term is the number of solutions k to the equation oik) — n. 

15. 2, 4, 6, 12, 24, 36 

17. Let a be the largest highly composite integer less than or equal to n. Note that 2 a is less than or 
equal to 2 n and has more divisors than a, and hence r (2a) > r(a). By Exercise 16, there must be 
a highly composite integer b with a < b <2a.lf b <n, this contradicts the choice of a . Therefore, 
n < b < 2n.lt follows that there must be a highly composite integer k with 2 m <k< 2 m+x for 
every nonnegative integer m . Therefore, there are at least m highly composite integers less than 
or equal to 2 m . Thus, the wth highly composite integer is less than or equal to 2 m . 

19. 1, 2, 4, 6, 12, 24, 36, 48 

21. 1 + p k 

23. Suppose that a and b are positive integers with (a, b) = 1. Then J2d\ab d k = Ed,|a d 2 \b ( d t d 2 ) k = 

Hd 2 \a d \ Y, dl \a d 2 = Okia)°k(b)- 

25. prime numbers 
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27. Let n = p^'p^ 2 • • • p“ r and let x and y be integers such that [x, y] = n. Then x \ n and y \ n, so 
we have x — p\ l p^ ■ ■ ■ p b / and y — p c x p c 2 ■ ■ ■ p c /, where b { and q — 0, 1, 2, ... , q. Because 
[x, y] = n, we must have max {£>,-, q] = q for each i. Then one of b t and q must be equal to 
q and the other can range over 0, 1, . . . , q. Therefore, we have 2 q + 1 ways to choose the 
pair (b h q) for each i. Then in total, we can choose the exponents b h b 2 , . . . b r , q, . . . , q in 
(2a x + l)(2a 2 + 1) • • • (2a r + 1) = r(n 2 ) ways. 

29. Suppose that n is composite. Then n=ab where a and b are integers with \ < a < b < n.ll follows 
that either a > *Jn or b > ~Jn. Consequently, o(n) >1 + a + b + n > 1 + «/n + n > n + *Jn. 
Conversely, suppose that n is prime. Then o{n) — n + 1 so that o(n) < n + *Jn. Hence, 
a in) > n + implies that n is composite. 

31 . For n — \, the statement is true. Suppose that 5Z"=i r 0) = 2 [^] _ [V« - l] 2 - For 

the induction step, it suffices to show that r in) — 2 ^ jj - [^]) = 2 X! ;<iv^i] 1> 

which is true by the definition of r(n), because there is one factor less than «fn for every factor 
greater than ~Jn. Note that if n is a perfect square, we must add the term 2 y/n — Hl^fn — 1) = 1 
to the last two sums. For n = 100, we have tij) = 2 Xjii [ j] - 100 — 482. 

33 . Let a — X P°i and b — X P x ‘ and let q — min (a,, b t ) for each i. We first prove that the product 
FI Pi X-=o Pi a (P^ i+bi ~ 2j ) — Hd\(a,b) (ab/d 2 ). To see this, let d be any divisor of (a, b), say, 

d — Y\ p . di- Then d t < q for each i, so each of the terms pf(r(p“‘ +fc,_2rf ‘) appears in exactly 
one of die sums in the product. Therefore, if we expand the product, we will find, exactly 
once, the term H Pf pfcrip“ i+b ‘~ 2d ‘) = do (j~[ A = do (j\ Pi (p“‘ / P?)(p b ‘ / pf)) = 

doiia/d)ib/d)). This proves the first identity. Next, consider the sum Y^j=o(P a+b ~ 2 + 

pa+b-j - 1 _| 1_ pj^ w h ere c — min (a, b). The term p k appears in this sum once each time 

that k — a + b — j, which happens exactly when a + b — c <k <a + b, that is, c + 1 times. On 

the other hand, in the expansion of the product ip a + p a ~ x -\ 1- \)ip b + p b ~ l + • • • + 1) = 

oip a )oip b ), the same term p k appears whenever k — ia — m) + ib — n), where 0 < m < a and 
0 < n < b. Each of m and n determines the other, so p k appears exacdy min (a + 1, b+\) = c+\ 

times. Given this identity, we have o ia)o ib) = \\ p . ip“‘ + p®' -1 4 1- l)ip b ‘ + pf‘ _1 4 1- 

1) = n Pl . H%o(P < i i+bi ~ j + H 1- pj), which is the right side of the identity, as we 

proved above. 

35 . From Exercises 52 and 53 in Section 7.1, we know that the arithmetic function fin) = 2® (n) 
is multiplicative. Further, because the Dirichlet product bin) = Jf,d\n 2<o(rf) = f * g( n )> where 
gin) = 1 is also multiplicative, we know that h(n) is also multiplicative. See Exercise 41 in 
Section 7.1. Because r in) and n 2 are multiplicative, so is r(n 2 ). Therefore, it sufficient to prove 
the identity for n equal to a prime power, p a . We have rip 20 ) = (2a + 1). On the other hand, we 

have Zd\ P ° 2toid) = X“=o 2 " (pi) = 1 + X“=i 21 = 2a + 1. 

37 . d>il)(t>i2) ■■■(t>in) 

39 . If p and p + 2 are prime, then oip) = p + 1 = <f>ip + 2). If 2 P — 1 is prime, then 0(2 P+1 ) = 
2 P —oi2 p — 1). 


Section 7.3 

1. 6; 28; 496; 8128; 33,550,336; 8,589,869,056 
3. a. 31 b. 127 c. 127 
5. 12, 18, 20, 24, 30, 36 
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7. Suppose that n = p k where p is prime and £ is a positive integer. Then a (p k ) = . Note that 

2 p k - 1 < p k+1 because p> 2. It follows that p k+1 - 1 < 2(p k+1 - p k ) — 2 p k (p - 1), so that 
<2p k —2n.lt follows that n — p k is deficient. 

9. Suppose that n is abundant or perfect. Then o(n)>2n. Suppose that n\m. Then m = nk for some 
integer k. The divisors of m include the integers kd and d\n. Hence, a(m ) >2V* + i w= 
(k + 1) d — (k+ 1 )cr(/i) > (k + 1)2 n > 2 kn — 2m. Hence, m is abundant. 

11. If p is any prime, then ar(p) = p + 1 < 2 p, so p is deficient. Because there are infinitely many 
primes, we must have infinitely many deficient numbers. 

13. See Exercises 6 and 9 for an alternate solution. For a positive integer a, let n — 3° 5 • 7 and 
compute a(n) = a(3 a 5 • 7) = (3 a+1 - l)/(3 - 1)(5 + 1)(7+ 1) = (3 fl+1 - 1)24 = 3 a+1 24 - 24 = 
2 • 3“ (36) - 24 = 2 • 3° (35) + 2 • 3° - 24 = 2n + 2 • 3 a - 24, which will be greater than 2 n 
whenever a > 3. This demonstrates infinitely many odd abundant integers. 

15. a. The prime factorizations of 220 and 284 are 220 = 2 2 • 5 • 11 and 284 = 2 2 • 71. Hence, 
a (220) = tr(2 2 )cr(5)cr(ll) = 7 • 6 • 12 = 504 and(r(284) = a(2 2 )a(71) = 7 • 72 = 504. Because 
a (220) = a (284) = 220 + 284 = 504, it follows that 220 and 284 form an amicable pair. b. 
The prime factorizations of 1184 and 1210 are 1184 = 2 5 • 37 and 1210 = 2-5-1 1 2 . Hence, 

<7 (1184) = ct(2 5 )ct( 37) = 63 • 38 = 2394 and (7(1210) = a(2)<r(5)cr(ll 2 ) = 3 • 6 • 133 = 2394. 
Because (7 (1184) = cr (1210) = 1184 + 1210 = 2394, 1184 and 1210 form an amicable pair, 
c. The prime factorizations of 79,750 and 88,730 are 79,750 = 2 • 5 3 • 11 • 29 and 88,730 = 

2 • 5 • 19 • 467. Hence, a (79,750) + <r(2)<7(5 3 Mll)<r(29) = 3 • 156 • 12 • 30 = 168,480 and 
similarly <r (88, 730) = cr (2) cr (5)cr ( 1 9) cr (467) = 3 • -6 • 20 • 468 = 168,480. Because a (79,750) = 
or (88, 730) = 79,750 + 88,730 = 168,480, it follows that 79,750 and 88,730 form an amicable 


17. (7(120) = ct( 2 3 • 3 • 5) = o' (2 3 )c7 (3)c7 (5) = 15 • 4 • 6 = 360 = 3 • 120 

19. a (2 7 3 4 5 • 7 • ll 2 • 17 • 19) = %=£ • |f^(5 + 1)(7 + l)^£r(17 + 1)(19 + 1) = 255 • 121 • 6 • 8 • 
133 • 18 ■ 20 = 5 • 14, 182,439,040. 

21. Suppose that n is 3-perfect and 3 does not divide n . Then cr(3n) = cr(3)ar(n) =4-3 n. Hence, 3 n 
is 4-perfect. 

23. 908,107,200 

25. o((7(16)) =ct(31) = 32 = 2 -16 

27. Certainly if r and s are integers, then cr(rs) > rs + r + s + 1. Suppose n — 2 q t is superperfect 
with t odd and t > 1. Then 2 n = 2 « +1 t = o (o(2 «f)) = o ((2« +1 - l) (7(f)) > (2 9+1 - l)ff(f) + 
(2 q+l - 1) + cr(f) + 1 > 2 <?+1 cr(f) > 2 q+, (t + 1). Then f > f + 1, a contradiction. Therefore, we 
must have n = 2 q , in which case we have 2 n = 2 9+1 = a (cr(2 q )) = a (2 q+l - l) = a(2n - 1). 
Therefore, 2n — 1 — 2 q+1 — 1 is prime. 

29. a. yes b. no c. yes d. no 

31. M n (M n + 2) = (2" - 1)(2” + 1) = 2 2 " - 1. If 2n + 1 is prime, then 0(2 n + 1) = 2n and 
2 2 ” = 1 (mod 2n + 1). Then (2n + 1) | 2 2 ' 1 - 1= M n (M n + 2). Therefore, (2 n + 1) | M n or 
(2 n + 1) | (M„ + 2). 

33. Because m is odd, m 2 = 1 (mod 8), so n = p a m 2 = p a (mod 8). By Exercise 32 (a), a = 1 (mod 4), 
so p a — p 4k p — p (mod 8), because p Ak is an odd square. Therefore, n — p (mod 8). 

35. First suppose that n = p a where p is prime and a is a positive integer. Then a(n) = p ^ + _~ 1 < 
^ so that o (n) / 2 n and n is not perfect. Next suppose that n — p a q b 
where a and b are primes and a and b are positive integers. Then o(n) = < 
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<£X‘i> = = (i-i’d-i) - (jftir = t < ln - Hence ' aM * * and " is not 

perfect. 

37. integers of the form p 5 and p 2 q where p and q are primes. 

39. Suppose M n — 2” — 1 = a k , with n and k integers greater than 1. Then a must be odd. If k — 2j, 
then 2” — 1 = (a- 7 ) 2 . Because n > 1 and the square of an odd integer is congruent to 1 modulo 4, 
reduction of the last equation modulo 4 yields the contradiction —1=1 (mod 4) ; therefore, k must 

be odd. Then 2 n = a k + 1 = (a + l)(a fc_1 — a k ~ 2 -\ f- 1). So a + 1 = 2 m for some integer m. 

Then 2” — 1 = (2 m — l) fc . Now n > mk so reduction modulo 2 2m gives —1 = k2 m — 1 (mod 2 2m ) 
or, because k is odd, 2 m = 0 (mod 2 2m ), a contradiction. 

Section 7.4 

1. a.0 b. 1 c. -1 d. 0 e. -1 f. 1 g.0 

3. 0, —1, —1, —1, 0, —1, 1, —1, 0, —1, —1, respectively 

5. 1, 6, 10, 14, 15, 21, 22, 26, 33, 34, 35, 38, 39, 46, 51, 55, 57, 58, 62, 65, 69, 74, 77, 82, 85, 86, 
87, 91, 93, 94, 95 

7. 1, 0, —1, —1, —2, —1, —2, —2, —2, —1, respectively 

9. Because p(n) is 0 for nonsquarefree n, 1 for n a product of an even number of distinct primes and 
— 1 for n a product of a odd number of distinct primes, the sum M(n) = £” =1 p(i) is unaffected 
by the nonsquarefree numbers, but counts 1 for every even product and —1 for every odd product. 
Thus, M(n) counts how many more even products than odd products there are. 

11. For any nonnegative integer k, the numbers n — 36 k + 8 and n + 1 = 36 k + 9 are consecutive and 
divisible by 4 = 2 2 and 9 = 3 2 , respectively. Therefore, p(36k + 8) + pL(36k + 9) = 0 + 0 = 0. 
13. 3 

15. Let h(ii) — n be the identity function. Then from Theorem 7.7, we have h(n) —n — J2d\n 0( n )- 
Then by the Mobius inversion formula, we have 4>(n) = J2d\n f^(d)h(n/d) — J2d\n vidiin/d) — 

n Y.d\n v(d)/d. 

17. Because p, and / are multiplicative, then so is their product, pf, by Exercise 46 of Section 
7.1. Further, the summatory function J2d\n A*( d)f(d ) is also multiplicative by Theorem 7.17. 
Therefore, it suffices to prove the proposition for n a prime power. We compute J2d\p a l l (d)f(d) — 

P a )f(P a ) + M(p a_1 )/(p a_1 ) H h p(p)/(p) + p(l)/(d). But for exponents greater than 

1, p.(p J ) = 0, so the above sum equals p(p)/(p) + p.(l)/(l) = — /(p) + 1. 

19. 0(n)/#i 

2i. (-D‘nLft 

23. Because both sides of the equation are kiown to be multiplicative (see Exercise 35 in Section 
7.2), it suffices to prove the identity for n = p a , a prime power. On one hand, we have 
J2d\ P a P 2 (^) = P 2 (P) + P 2 (l) = 1 + 1 = 2. On the other hand, we have co(p a ) = 1, so the 
right side is 2 1 = 2. 

25. Let k play the role of / in the identity of Exercise 17. Then the left side equals n*_i(l — HPj)) — 

n5=id -(-d)= * =2-w. 

27. We compute p * v(n ) = Y.d\n P(^) v («/^) = Hd\n P(^) = f ( n )> b Y Theorem 7.15. 

29. Because v(n) is identically 1, we have F{n) — Y,d\n f ^ = ^d\n f ( d)v(n/d ) — f * v(n). If we 
Dirichlet multiply both sides by p, we have F*p = f*v*p = f*i = f. 
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31. From the Mobius inversion formula, we have A(n) — J2d\n A 4 ^) log in/d) — At(d)(log n — 

log d ) = Y.d\n A 4 ^) lo g(«) - T,d\n !°g( rf ) = !°g n T,d\n /*(<!) “ Y,d\n A 4 ^) lo g( rf ) = 
log nv(n ) - Y,d\n A 4 ^) log(rf) = - Y,d\n A 4 ^) l°g(^)> because v(n) = 0 if n is not 1, and 
log n = 0 if n = 1. 

33. a. Let A; be an integer in the range 0 < A < n — 1, and let d — (A, n), so that n—dj for 
some integer j. If £ is a primitive nth root of unity, we have £" = {£ d y = 1, so t; d is 
a y'th root of unity. If t; d were not a primitive jth root of unity, then 1 = (X d ) b — t; db 
with db < dj — n, contradicting the assumption that £ is a primitive nth root of unity. So 
n (k n)=d (x — (t; d ) k ) = ®j(x) as the product runs through a complete set of reduced residues 
modulo j. It remains to note that x n — 1 = II£~q(jc — because both polynomials have 
the same degree and the same roots. The last product equals n d |„n (fc „ )=d (jc — (£ d ) k ) — 
n d\n®j( x )- b. From part (a), we have x p - 1 = Y[ d \ p ®d( x ) = = (1 - *)$,,(*)■ 

Then <& p (x) — (x p — 1)/(jc — 1) = x p ~ l + x p ~ 2 -\ f x + 1. c. From part (b), we have 

x 2p = Ud\ 2 P ®d( x ) = ^i(.x)^ 2 ( x )^ p ( x )^ 2 p( x )- Because = x-l, <D 2 (^) = x + 1. and 
OpOO = (x p - 1)/(jc — 1), from part (b), we compute d> 2 pOO = 

* 2p - 1 (x p — i)(x p + 1) _ + 1 _ 

(x - l)(x + l)(;t p - \)l(x - 1) <X+I)(xl>-1) X + 1 

35. We need a little lemma: Let f(x) and g(x) be monic polynomials with rational coefficients. If 
f(x)g(x) has integer coefficients, then so do f(x) andg(x). Proof: Let fix) — x m + a m _\x m ~ x + 
• • • + a 0 and g(x) — x n + b„_ 1 x n ^ 1 + • — b b 0 , and let M and N be the smallest positive integers 
such that Mf{ x) and Ng{x) have integer coefficients. Then all coefficients of MNf(x)g(x) are 
divisible by MN, because fix)g(x) is an integer polynomial. Let p be a prime divisor of MN. 
If p X M, then p doesn’t divide the leading coefficient of Mf{x). If p \ M, then some coefficient 
Ma t is not divisible by p, otherwise this would contradict the minimality of M. Let 7 be the 
largest index such that Ma } is not divisible by p. Similarly, let J be the largest index such that 
Nbj is not divisible by p. (In both cases, we take a m — b n — 1.) Then the coefficient of x I+J 
in MN f{x)g{x) is MajNbj + R where R is a sum of products involving Ma t and Nbj with 
either i > I or j > J, and hence p \ R and therefore p / MajNbj + R. But this contradicts 
that p divides the coefficients of MNf(x)g(x). This proves the lemma. Now, from Exercise 
34, we have <!>„(* ) = \\ d \ n {x d - l)^ n / d \ Let P(x) be the product of those factors for which 
p,(n/d) — — 1, and let Q(x) be the product of those factors for which pin/d) — 1. Then we have 
7 , (x)<I>„(x) = Q(x). Because Q(x) has integer coefficients, so does d>„(x), by the lemma. 

Section 7.5 

1. a. (2), (1, 1); pi 2) = 2 b. (4), (3, 1), (2, 2), (2, 1, 1), (1, 1, 1, 1); pi 4) = 5 c. (6), (5, 1), 
(4, 2), (4, 1, 1), (3, 3), (3, 2, 1), (3, 1, 1, 1), (2, 2, 2), (2, 2, 1, 1), (2, 1, 1, 1, 1), (1, 1, 1, 1, 1, 1); 
pi 6) = 11 d. (9), (8, 1), (7, 2), (7, 1, 1), (6, 3), (6, 2, 1), (6, 1, 1, 1), (5, 4), (5, 3, 1), (5, 2, 2), 
(5, 2, 1, 1), (5, 1, 1, 1, 1), (4, 4, 1), (4, 3, 2), (4, 3, 1, 1), (4, 2, 2, 1), (4, 2, 1, 1, 1), (4, 1, 1, 1, 1, 1), 
(3, 3, 3), (3, 3, 2, 1), (3, 3, 1, 1, 1), (3, 2, 2, 2), (3, 2, 2, 1, 1), (3, 2, 1, 1, 1, 1), (3, 1, 1, 1, 1, 1, 1), 
(2, 2, 2, 2, 1), (2, 2, 2, 1, 1, 1), (2, 2, 1, 1, 1, 1, 1), (2, 1, 1, 1, 1, 1, 1, 1), (1, 1, 1, 1, 1, 1, 1, 1, 1); 
p(9) = 30 

3. po (6) = 4, p D (6) = 4, p 2 (6) = 4 

5. a. 8 b. 0 c. 4 d. 7 e. 8 f. 2 g. 4 h. 2 

7. Let n be a positive integer and let A be the set of all partitions of n. Then there are pin) elements 
in A. Create subsets of A, named A h A 2 , . . . , A n , as follows. For each partition in A, count the 
number of parts. If the number of parts is A, put the partition in A k . Then the number of elements 
in A k will be pin. A). Because every partition of n has between 1 and n parts, all partitions go into 
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exactly one subset. Further, any two distinct subsets must be disjoint, so A is the disjoint union of 

the A k . Thus, pin ) =| A |=| A x | + | A 2 I + H A n |= £* =1 P( n » k )• 

9. p( 5, 1) = 1, p( 5, 2) = 2, p(5, 3) = 2, p(5, 4) = 1, pi 5, 5) = 1. Then l+2+2+l+l=7= p(5). 

11. [n /2] (greatest integer function) 

13. a. (5, 4, 2, 2, 1, 1), not self-conjugate b. (2, 2, 2, 2, 2, 2, 2, 1), not self-conjugate 

c. (7, 4, 3, 1), not self-conjugate d. (10, 5), not self-conjugate 

15. (8, 1, 1, 1, 1, 1, 1, 1), (6, 3, 3, 1, 1, 1), (5, 4, 3, 2, 1), (4, 4, 4, 3) 

17. Let m and n be integers with 1 < m < n. If P is a partition of n into at most m parts, then 

the Ferrers diagram with have at most m rows. Let Q be the conjugate of P. Then the Ferrers 

diagram for Q will have at most m columns, and hence represents a partition of n into parts not 
greater than m. Therefore, p(n | at most m parts) < pin | parts no greater than m). Conversely, 
suppose Q is a partition of n into parts no greater than m. Then the Ferrers diagram of Q 
has at most m columns. If P is the conjugate of Q, then the Ferrers diagram for P has at 
most m rows, and hence represents a partition of n into parts no greater than m. Therefore, 
pin | parts no greater than m) < pin | at most m parts). The two inequalities together prove the 
assertion. 

19. nr=id + ) = E n °°=i = va - *) 

21. nr=ld + *“)/(! - !. 2, 3, 4, 6, 12, 16, 22, 29 

23. nr=ld - *")/(! - **); 1, 2, 3, 4, 6, 12, 16, 22, 29 

25. nr=id - x k2 )/il - x k ): 0, 1, 1, 1, 2, 3, 3, 5, 5, 8 

27. From the formula for the sum of a finite geometric series, we have (1 — x^ d+i)k )/ 

(1 — x k ) — l + x k + x 2k 1- x dk . From Exercise 23, the generating function for p{ k \ d jf k+ i } (n) 

is nr=i(l — x d ^ k+V) )H\ — x k ) = + X k + x 2k + • — f- x dk ). But this last expression is the 

generating function for pin |no part appears more than d times) as found in Exercise 22. 

29. a. The generating function for pin |no part equals 1) is, by Theorem 7.21, nibU Vd — x>c ) = 

(1 - jc) Uti V(1 ~ * k ) = nr=i V(1 — x k ) — x nr=i 1/(1 - xk )• The coefficient of x n in the 

first product is pin). The coefficient of x n in the second product is pin — 1), because of the extra 
factor of x in front of the product. Therefore, the coefficient of x n in the combined expression is 
pin) — pin — Y). b. If we have a partition of n — 1 , then we can add 1 as an additional part to get 
a partition of n that contains a 1. Conversely, if we have a partition of n having 1 as a part, then we 
can remove the 1 and obtain a partition of n — 1. So there is a one-to-one correspondence between 
the set of partitions of n having 1 as a part and the set of partitions of n — 1. Therefore, the number 
of partitions of n not having one as a part equals pin) — pin 1 1 is not a part) = pin) — pin — 1). 

31. Consider a partition of n into distinct powers of 2. Define a process that changes the partition into 
a partition all of whose parts is 1, by taking any part 2 k and writing it as 2 k ~ x + 2 k ~ x . By iterating 
this process, all parts will be reduced to 2° = 1 and we will arrive at a partition of n into parts 
of size 1. Also define a reverse process in which, if any two like powers of 2 are present, say, 2 k 
and 2 k , they are merged into one part of size 2 k . If we iterate this process on a partition into parts 
of size 1 = 2°, then we must eventually have all distinct powers of 2. Thus, we have a bijection 
between the set of partitions of n into parts of size 1 and the set of partitions of n into distinct 
powers of two. Therefore, p^}in) = pin \ distinct powers of 2). Because there is only one partition 
of n into parts of size 1, there must be only one partition of n into distinct powers of 2. Because 
such a partition is the binary expansion of n, this shows that the binary expansion is unique. 

33. From Exercise 30, we know that Pgin) equals the number of self-conjugate partitions of n. Call 
this number N, and consider the set of partitions of n. The subset of non-self-conjugate partitions 
of n has an even number of elements, because each partition can be paired with its conjugate. 
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Then pin) equals the number of non-self-conjugate partitions plus the number of self-conjugate 
partitions, which is an even number plus N, which in turn is odd if and only if N is odd. 

35. First, note that p{n — 2) — p(n |at least one part equals 2) because adding and removing of a part 
of size 2 gives us a bijection between the two sets of partitions. Second, note that we can change 
an partition of n with no part of size 1 into at least one partition with a part of size 2 by taking 
the smallest part (which must be at least 2) and splitting off as many parts of size 1 as necessary. 
Therefore, p(n |at least one part of size 2) > p(n \no part equals 1). Now from Exercise 34, we 
have pin) = pin — 1) + p(n \no part equals 1) < p(n — 1) + p(n\dX least one part equals 2) = 
pin - 1) + p(n - 2). 

Next, note that p(l) = 1 = f 2 and p(2) = 2 = / 3 . This is our basis step. Suppose pin) < f n+1 
for all integers up to n. Then pin + 1) < pin) + pin — 1) < f n+ \ + f n — f n + 2 > which proves the 
induction step. So by mathematical induction, we have pin) < f n+1 for every n. 

37. pi 1) = 1; pi 2) = 2; pi 3) = 3; pi 4) = 5; p(5) = 7; p(6) = 11; pi 7) = 15; p(8) = 22; p(9) = 30; 
p(10) = 42; p(ll) = 56; p(12) = 77 

39. For the first part of the theorem, note that the product can be rewritten as Yijes V(1 — x *) — 
n ;6 ,(l + + •••)• Then the coefficient of x n , when we expand this product, is the 

number of ways we can write n = a x k\ + a 2 k 2 H where the a t are positive integers and the k t 

are elements from S, but this is exactly the number of partitions of n into parts from S. For the 
second part of the theorem, note that when we expand the product ["[^(l + * 7 ), the coefficient 

of x n is the number of ways to write n—k 1 + k 2 -\ where the k t are elements of S. But this is 

just the number of partitions into distinct parts from S. 

41. The partitions of 11 into parts differing by at least 2 are (11), (10, 1), (9, 2), (8, 3), (7, 4), (7, 3, 1), 
and (6, 4, 1), for a total of 7. The positive integers less than or equal to 11 that are congruent 
to 1 or 4 modulo 5 are 1, 4, 6, 9, and 11, so the partitions of 11 into parts congruent to 1 or 5 
modulo 5 are (11), (9, 1, 1), (6, 4, 1), (6, 1, 1, 1, 1, 1), (4, 4, 1, 1, 1), (4, 1, 1, 1, 1, 1, 1, 1), and 
(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1), for a total of 7 also. This verifies the first Rogers-Ramanujan identity 
for n — 1 1. The partitions of 1 1 into parts differing by at least 2 and that are at least two are 
(11), (9, 2), (8, 3), andi 7, 4), for a total of 4. The partitions of 1 1 into parts congruent to 2 or 3 
modulo 5 are (8, 3), (7, 2,2), (3, 3, 3, 2), and (3, 2, 2, 2, 2), for a total of 4 also. This verifies 
the second Rogers-Ramanujan identity for n — 1 1. 

Section 8.1 

1. DWWDF NDWGD ZQ 
3. IEXXK FZKXC UUKZC STKJW 
5. READ MY LIPS 
7. 12 

9. AN IDEA IS LIKE A CHILD NONE IS BETTER THAN YOUR OWN FROM CHINESE 
FORTUNE COOKIE 

11. 9, 12 

13. THIS MESSAGE WAS ENCIPHERED USING AN AFFINE TRANSFORMATION 

15. C = IP + 16 (mod 26) 


Section 8.2 

1. VSPFXH HIPKLB KIPMIE GTG 
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3. TJEVT EESPZ TJIAN IARAB GSHWQ HASBU BJGAO XYACF XPHML AWVMO XANLB 
GABMS HNEIA TffiZV VWNQF TLEZF HJWPB WKEAG AENOF UACIH LATPR RDADR 
GKTJR XJDWA XXENB KA 

5. Let n be the key length, and suppose k h k 2 , ... ,k n are the numerical equivalents of the letters 
of the keyword. If pi — pj are two plaintext characters separated by a multiple of the key 
length, when we separate the plaintext into blocks of length n, p t and pj will be in the same 
position in their respective blocks, say, the mth position. So when we encrypt them, we get 
c i = Pi + k m = pj +k m = cj (mod 26). 

7. The key is YES , and the plaintext is MISTA KES AR EAPAR TOFBE INGHU MANAP PRECI 
ATEYO URMIS TAKES FORWH ATTHE YAREP RECIO USLIF ELESS ONSTH ATCAN 
ONLYB ELEAR NEDTH EHARD WAYUN LESSI TISAF ATALM ISTAK EWHIC HAILE 
AS TOT HERSC ANLEA RNFRO M. 

9. The key is B IRD, and the plaintext is IONCE HADAS PARRO WALIG HTUPO NM YS H OULDE 
RFORA MOMEN TWHEL EIWAS HOEIN GINAV ILLAG EGARD ENAND IFELT THATI 
WASMO REDIS TINGU ISHED BYTHA TCIRC UMSTA NCETH ATISH OULDH AVEBE 
ENBYA NYEPA ULETI COULD HAVEW ORN. 

11. The key is SAGAN, and the plaintext is BUTTH EFACT THATS OMEGE NIUSE SWERE 
LAUGH EDATD OESNO TIMPL YTHAT ALLWH OAREL AUGHE DATAR EGENI USEST 
HEYLA UGHED ATCOL UMBUS THEYL AUGHE DATFU LTONT HEYLA UGHED ATTHE 
WRIGH TBROT HERSB UTTHE YALSO LAUGH EDATB OZOTH ECLOW N. 

13. RLOQNZOFXMCQKGQIVDAZ 
15. TO SLEEP PERCHANCE TO DREAMX 


17. 3,24,24,25 

19. We have C = AP (mod 26). Multiplying both sides on the left by A gives AC = A 2 P = IP = P 
(mod 26). The congruence A 2 = I (mod 26) follows because A is involutory. It follows that A is 
also a deciphering matrix. 

21. 0=^2 ^ (mod 26) 

23. If the plaintext is grouped into blocks of size m , we may take of these blocks to form a super- 

block of size [m, n\. If A is the m x m enciphering matrix, form the [m, n] x [m, n] matrix B 

/A 0 • • • 0 \ 

with copies of A on the diagonal and zeros elsewhere: B= I 9 ^ 9 I . Then B 

U ••• ' A/ 

will encipher blocks of size m at once. Similarly, if C is the n xn enciphering matrix, form 
the corresponding [m, n] x [m, n] matrix D. Then BD is an [m, n] x [ m , n] enciphering matrix 
that does everything at once. 


25. Multiplication of (0 • • • 010 • • • 0) 


Pi 

Pi 


with the 1 in the ith place yields the 1 x 1 matrix (Pj). 


( p A ( C A 

So if the v'th row of a matrix A is (0 ■ ■ • 010 • • ■ 0), then A I 1 = 1 I gives Cj — Pj. So 

\PnJ \C n J 

if every row of A has its 1 in a different column, then each Cj is equal to a different Pj. Hence, A 
is a “permutation” matrix. 
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27. 7) €+(15) (mod 26) 

29. TOXIC WASTE 

31. Make a frequency count of the trigraphs and use a published English language count of frequencies 
of trigraphs. Then proceed as in problem 18. There are 12 variables to determine, so 4 guesses are 
needed. 

33. yes 

35. 01 1101 1010 

37. RENDEZVOUS 

39. Let pip 2 P m and q x q 2 • • • q m be two different plaintext bit streams. Let k h k 2 , ... ,k m be 
the key stream by which the plaintexts are encrypted. Then note that for any i = 1, 2, . . . , m, 
E ki (Pi ) + £*.(?/) = k t + Pi + k t + q t = 2k t + p t + q t = p t + q t (mod 2). Therefore, by adding 
corresponding bits of the ciphertext streams, we get the sums of the corresponding bits of the 
plaintext streams. This partial information can lead to successful cryptanalysis of encrypted 
messages. 

Section 8.3 

1. 14 17 17 27 11 17 65 76 07 76 14 

3. BEAM ME UP 

5. We encipher messages using the transformation c=P n (mod 31). The deciphering exponent is 
the inverse of 11 modulo 30 because 0(31) = 30. But 11 is its own inverse modulo 30 because 
11-11=121 = 1 (mod 30). It follows that 1 1 is both the enciphering and deciphering exponent. 

Section 8.4 

1. 151,97 

3. Because a block of ciphertext p is less than n, we must have (p, n) = p or q. Therefore, the 
cryptanalyst has a factor of n. 

5. 1215 1224 1471 0023 0116 

7. GREETENGSX 

9. 0872 2263 1537 2392 

11. No. It is as if the encryption key were (e x e 2 , n ), and it is no more difficult (or easy) to discover the 
inverse of e — e x e 2 than it would be to discover the inverse of either of the factors modulo <p(n). 

13. Suppose P is a plaintext message and the two encrypting exponents are e x and e 2 . Let 
a — (e h e 2 ). Then there exist integers x and y such that e x x + e 2 y — a. Let Cj = P ex (mod n) 
and C 2 = P* 2 (mod n ) be the two cipher texts. Because C 1, C 2 , e h and e 2 are known to the 
decipherer, and because x and y are relatively easy to compute, then it is also easy to compute 
Cj C y 2 = p**p*a = pe\x+e 2 y = pa ( mo d n ). if a = 1, then P has been recovered. If a is fairly 
small, then it may not be too difficult to compute ath roots of P a and thereby recover P . 

15. Encryption works the same as for the two prime case. For decryption, we must compute an inverse 
d for e modulo 4>(n) = (p — \)(q — l)(r — 1) where n — pqr the product of three primes. Then 
we proceed as in the two prime case. 

17. Let the encryption key be (e, n). Then Cj = P* (mod n) and C 2 = P% (mod n), where Cj and C 2 
are reduced residues modulo n. When we encrypt the product, we get C = (.P\P 2 ) e = P{P 2 = CjC 2 
(mod n), as desired. 
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Section 8.5 

1. a. yes b. no c. yes d. no 

3. Proceed by induction. Certainly a 1 < 2a 1 < a 2 . Suppose a j < a n- Then IZ”=i a j = 
YTjZ i a j + a n <a n + a n = 2a n < a n+1 . 

5. (17,51,85,7, 14,45,73) 

7. NUTS 

9. If the multipliers and moduli are (u^, m{), [0 ](to 2 , m 2 ), . . . , [0](ui r , m r ),[ 0] the inverse 
uq, uJ^, . . . ,w ~ can be computed with respect to their corresponding moduli. Then we multiply 
and reduce succesively by (u\, m r ), (w r _i, m r , (uFj - , mj). The result will be the plaintext 
sequence of easy knapsack problems. 

11. 8-21-95 

13. For i = 1, 2, . . . , n, we have b a ‘ = a t (mod m). Then b s = P = (&“i) Xl (fc“ 2 )* 2 ■ ■ - ( &“»)*» = 
heiix 1 +—+a n x n ( moc j m y Then S = a x xi + • • • + a n x n (mod <j)(rn)). Because S + k(p (m) is also a 
logarithm of P to the base b, we may take the congruence to be an equation. Because the x t — 0 
or 1, this becomes an additive knapsack problem on the sequence (a h a 2 , . . . , a n ). 

Section 8.6 

1. 90 

3. 476 

5. Let k h k 2 , . . . , k n be the private keys for parties 1 through n, respectively. There are n steps in this 
protocol. The first step is for each of the parties 1 through n to compute the least positive residue 
of r k ‘ (mod p) and send this value y f to the i + 1st party. (The nth party sends his value to the 1st 
party.) Now the ith party has the value y t-l (where we take y 0 to be y„). The second step is for each 
party to compute the least positive residue of (mod p) and send this value to the i + 1st party. 
Now the ith party has the least positive residue of r k ‘- i+k ‘- 2 (mod p). This process is continued 
for a total of n steps. However, at the nth step, the computed value is not sent on to the next 
party. Then the ith party will have the least positive residue of r *i-i+*«- 2 +— ■ +*i+*»+*n-i+— ■ k w+ki 
(mod p), which is exactly the value of K desired. 

7. a. 0371 0354 0858 0858 0087 1369 0354 0000 0087 1543 1797 0535 b. 0833 0457 0074 0323 
0621 0105 0621 0865 0421 0000 0746 0803 0105 0621 0421 

9. a. If n f < rij, then the block sizes are chosen small enough so that each block is unique modulo 
n,-. Because n f < rij, each block will be unique modulo n y - after applying the transformation 
D k .. Therefore we can apply E k . to D k .{P ) and retain uniqueness of blocks. If n,- > rij, the 
argument is similar, b. If n f < rij, individual j receives E k (D k .(P)) and knows an inverse 
for ej modulo 0(n,). So he can apply D k .(E k .(D k .(P))) — D k .(P). Because he also knows 
e t , he can apply E k .{D k .{P )) = P and discover the plaintext P. If n t > rij, then individual j 
receives D kj (E k .(P)). Because he knows e t , he can apply E kj (D kj (E k .(P))) — E k .(P). Because 
he also knows JJ, he can apply D k . (E k .(P)) — P and discover the plaintext P . c. Because only 
individual i knows ej, only he can apply the transformation D k and thereby make E k .{D k .{P )) 
intelligible, d. n i — 2867 > rij — 2537, so we compute D k .(E k .(P)). Both rij and rij > 2525, 
so we use blocks of four. REGARDS FRED becomes 1704 0600 1703 1805 1704 0323 (adding 
anX to fill out the last block). e l = 11 and 0(n, ) = 2760, soej = 251. We apply E k . = P e > = P 13 
(mod 2537) to each block and get 1943 0279 0847 0171 1943 0088. Then we apply D k . (E) = E 251 
(mod 2867) and get 0479 2564 0518 1571 0479 1064. Now because rij < n t , individual j must 
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send E k .(D kj (P)), ej = 13, 0(2537) = 2436, and ej= 937. Then D kj (P) = P 937 (mod 2537) 
and E k .(D ) = D 11 (mod 2867). The cipher text is 1609 1802 0790 2508 1949 0267. 

11 . ky = 4 (mod 8), k 2 = 5 (mod 9),k 3 = 2 (mod 1 1) 

13 . The three shadows from Exercise 11 are k 3 — 4, k 2 — 5, and k 3 — 2. If k x and k 2 are known, we 
solve the system of congruences x = 4 (mod 8), x = 5 (mod 9) to get x — 68. If k 1 and k 3 are 
known, we solve the system of congruences x = 4 (mod 8), x = 2 (mod 11) to get x — 68. If k 2 
and k 3 are known, we solve the system of congruences x = 5 (mod 9), x = 2 (mod 11) to get 
x ~ 68. In all three cases, we recover K$. Then K = K 0 — tp = 68 — 13 • 5 = 3. 

Section 9.1 

1. a. 4 b. 4 c. 6 d. 4 

3 . 2 1 = 2 (mod 3) and2 2 = 1 (mod 3), so ord 3 2 = 2. 2 1 = 2 (mod 5), 2 2 = 4 (mod 5) and2 4 = 16 = 1 
(mod 5), so ord 5 2 = 4. 2 1 = 2 (mod 7), 2 2 = 4 (mod 7) and 2 3 = 1 (mod 7), so ord 7 2 = 3. 

5 . a. 0(6) = 2, and 5 2 = 1 (mod 6). b. 0(11) = 10, 2 2 = 4, 2 5 = -1, 2 10 = 1 (mod 11). 

7 . Only 1, 5, 7, and 11 are prime to 12. Each one squared is congruent to 1, but 0(12) = 4. 

9. There are two: 3 and 5. 

11 . That ord„a =ord„a follows from the fact that a 1 = 1 (mod n) if and only if a* = 1 (mod n). To 
see this, suppose that a‘ = l (mod n). Then a 1 = (aV)(a*) = (ao) r a r = V ■ 1 = 1 (mod n). The 
converse is shown in a similar manner. 

13 . We have [r, s\/(r, s ) < ord„afc < [r, s] 

15 . Let r =ord m a‘. Then a tr = 1 (mod m), and hence tr > ts and r > s. Because 1 = a st = ( a ‘) s 
(mod n), we have s > r. 

17 . Suppose that r is a primitive root modulo the odd prime p. Then r^ p ~ X) l<i ^ i ( mo d p) for all 
prime divisors q of p — 1 because no smaller power than the (p — l)st of r is congruent to 1 
modulo p. Conversely, suppose that r is not a primitive root of p. Then there is an integer t 
such that r‘ = 1 (mod p) with t < p — 1. Because t must divide p — 1, we have p — 1 = st for 
some positive integer s greater than 1. Then (p — 1 )/s — t. Let q be a prime divisor of s. Then 
(p - 1 )/q = t(s/q), so that = (r‘y /q = 1 (mod p). 

19 . Because 2 2 " + 1 = 0 (mod F n ), then 2 2 " = -1 (mod F n ). Squaring gives (2 2 ") 2 = 1 (mod F n ). 
Thus, ov&f2 < 2" 2 = 2" +1 . 

21 . Note that a‘ < m = a n — 1 whenever 1 < t < n. Hence, a 1 cannot be congruent to 1 modulo m 
when t is a positive integer less than n. However, a n = 1 (mod m) because m = (a n — 1) | (a n — 1). 
It follows that ord m a = n. Because ord m a | 0(/n), we see that n \ 4>{m). 

23 . First suppose that pq is a pseudoprime to the base 2. By Fermat’s little theorem, 2 P = 2 (mod p), 
so there exists an integer k such that 2 P - 2 — kp. Then 2 M p~ l - 1 = 2 2P-2 - 1 = 2 kp - 1. This 
last expression is divisible by 2 P — 1 = M p by Lemma 6.1. Hence, 2 M p~ l = 1 (mod M p ), or 
2 m p = 2 (mod M p ). Because pq is a pseudoprime to the base 2, we have 2 pq = 2 (mod pq), so 
2 pq = 2 (mod p). But 2 pq = (2 p ) q = 2 q (mod p). Therefore, 2 q = 2 (mod p). Then there exists 
an integer l such that M q — 1 = 2 q — 2 = Ip. Then 2 M i~ l — 1 = 2 2, ~ 2 = 2 lp — 1, so 2 P — 1 = M p 
divides 2 Af ? -1 - 1. Therefore, 2 M « = 2 (mod M p ). Then we have 2 m p m * = (2 m p) m « = 2 m * = 2 
(mod M p ). Similarly, 2 M v M i = 2 (mod M q ). By the Chinese remainder theorem, noting that 
M p and M q are relatively prime, we have 2 m p m <i = 2 (mod M p M q ). Therefore, M p M q is 
a pseudoprime to the base 2. Conversely, suppose M p M q is a pseudoprime to the base 2. 
From the reasoning in the proof of Theorem 6.6, we have that 2 m p = 2 (mod p). Therefore, 

2 M P M 1 = 2 Wp-m q +M q = 2 m o = 2 (mod p). But because M p = 2 P - 1 = 0 (mod M p ), we have 
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that the order of 2 modulo M p is p. Therefore, p\M q — 1. In other words, 2 q =2 (mod p). Then 
2 pq = 2 q = 2 (mod p). Similarly, 2 pq = 2 (mod q). Therefore, by the Chinese remainder theorem, 
2 pq = 2 (mod pq). Therefore, because pq is composite, it is a pseudoprime to the base 2. 

25. a. Let A: be an integer that satisfies all of the congruences. If n = 1 (mod 2), then because 
ord 3 2 = 2, we have 2" + k = 2 2m+1 - 2 1 = (2 2 ) m 2 - 2 = l m 2 - 2 = 0 (mod 3), so 3 | 2" + k. If 
n = 2 (mod 4), then because ord 5 2 = 4, we have 2" + k = 2 4m+2 - 2 2 = 2 2 - 2 2 = 0 (mod 5), so 
5 | 2" + k. If n = 1 (mod 3), then because ord 7 2 = 3, we have 2" + k = 2 3m+1 — 2 1 = 2 — 2 = 0 
(mod 7), so 7 | 2" + k. If n = 8 (mod 12), then because ord 13 2 = 12, we have 2" + k = 
2 i2m+8 _ 2 8 = 2 8 - 2 8 = 0 (mod 13), so 13 | 2" + k. If n = 4 (mod 8), then because ord 17 2 = 8, 
we have 2 n +k = 2 8m+4 - 2 4 = 2 4 - 2 4 = 0 (mod 17), so 17 | 2 n + k. If n = 0 (mod 24), then 
because ord 2 4i 2 = 24, we have 2" + k = 2 2Am -2° = 1-1 = 0 (mod 241), so 241 1 2” + k. So 
if n satisfies any of the above congruences, we see that 2" + k cannot be prime. Let r the least 
nonnegative residue of n modulo 24. If r is odd, then n = 1 (mod 2). If r — 2, 6, 10, 14, 18, or 
22, then n = 2 (mod 4). If r — 4 or 16, then n = 1 (mod 3). If r — 8 or 20, then n = 8 (mod 12). 
If r = 12, then n = 4 (mod 8). If r = 0, then n = 0 (mod 24). This shows that every positive 
integer n must satisfy one of the congruences n = 1 (mod 2), n = 3 (mod 4), n = 1 (mod 3), n = 8 
(mod 12), n = 4 (mod 8), and n = 0 (mod 24). So if k simultaneously satisfies all the congruences 

stated in the exercise, then 2" + k must be composite for all positive integers n. b. Simplifying 

the congruences in part (a) gives us k = 1 (mod 3), k = 1 (mod 5), k = 5 (mod l),k = 4 (mod 13), 
k= 1 (mod 17), and A = — 1 (mod 241). Using computational software, we use the Chinese 
remainder theorem to simultaneously solve this system of congruences to get k = 1,518,781 
(mod 5,592,405). Note that the modulus is equal to 3 • 5 • 7 • 13 • 17 • 241. Then 2" + 1,518,781 
is composite for all positive integers n. 

27. Let j =ord0(„)e. Then = 1 (mod (p(n)). Because ord„P | (p(n), we have = 1 (mod 
ord„P). Then by Theorem 9.2, P el = P (mod n), so C eJ 1 = (P e ) eJ 1 = P eJ = P (mod n) and 
C eJ = P e = C (mod n). 

Section 9.2 

1. a. 2 b. 2 c. 3 d. 0 

3. a. 2 b. 4 c. 8 d. 6 e. 12 f. 22 

5. % 6,1, 11 

7. 2, 3, 10, 13, 14, 15 

9. By Lagrange’s theorem, there are at most two solutions to x 2 = 1 (mod p), and we know x = ±1 
are the two solutions. Because p = 1 (mod 4), 4 | (p — 1) = 0(p), so there is an element x of 
order 4 modulo p. Then x 4 = (x 2 ) 2 = 1 (mod p), so x 2 = ±1 (mod p). If jc 2 = 1 (mod p), then x 
does not have order 4. Therefore, jc 2 = — 1 (mod p). 

11. a. Let /(jc) = a n x n + a n _]X n ~ l + • • • a 0 , and let k be the largest integer such p does not divide 

a k . Let g(x) = a k x k + a k _pc k ~ 1 H a 0 . Then / (jc) = g(jc) (mod p) for every value of jc. In 

particular, g(x) has the same set of roots as /(jc). Because the number of roots is greater than 
n > k, this contradicts Lagrange’s theorem. Therefore, no such k exists and p must divide every 
coefficient of / (jc). b. Note that the degree of / (jc) is p — 2. By Fermat’s little theorem, we have 
that jc p_1 — 1 = 0 (mod p), for jc = 1, 2, . . . , p — 1. Further, each jc in the same range is a zero for 
(jc — l)(jc — 2) • • • (jc — p + 1). Therefore, each jc = 1, 2, . . . , p — 1 is a root of /(jc). Because 
/ (jc) has degree p —2 and p — 1 roots, part (a) tells us that all the coefficients of / (jc) are divisible 
by p. c. From part (b), we know that the constant term of / (jc) is divisible by p. The constant 
term is given by /( 0) = (— 1)(— 2) •••(-/? + 1) + 1 = (-1 ) p ~\p - 1)! + 1 = (p - 1)! + 1 = 0 
(mod p), which is Wilson’s theorem. 



Answers to Odd-Numbered Exercises 


13. a. Because qj' \ fip) — p — 1, by Theorem 9.8 there exists <p(q‘‘) elements of order for 
each i = 1, 2, . . . , r. Let a ( - be a fixed element of this order, b. Using induction and Exercise 
10 of Section 9.1, we have ord p (a) = ord^a^ • • • a r ) = ord p (a 1 • • • a r _{) ord p (a r ) = ■ ■ ■ = 
ordpCai) • • • ord p (a r ) because (ord p (a 1 ), ord p (a 2 ), • • • , ord p (a r )} = {q^, . . . , qf} are pairwise 
relatively prime, c. 18 

15. If n is odd, composite, and not a power of 3, then the product in Exercise 14 is ]”[j=i( n — 1> Pj ~ 
1) > (« — 1. 3 — l)(/i — 1, 5 — 1) > 2 • 2 = 4. So there must be two bases other than - 1 and +1 . 

17. a. Suppose that fix ) is a polynomial with integer coefficients of degree n — 1. Suppose 
that x h x 2 , ■ ■ • , x n are incongruent modulo p where p is prime. Consider the polynomial 
g(x) = f(x) - T!j=i ( fi x j) Uijkjix ~ Xi)(Xj - x,)). Note thatXj, j = 1, 2, • • • , n is a root of 
this polynomial modulo p because its value at xj is f(xj) — [0 + 0 H — • + fixj) Yli^j(. x j ~ 

Xi)(xj — x t ) H h 0] = fixj) — fixj ) -1 = 0 (mod p). Because g(x) has n incongruent roots 

modulo p, and because it is of degree n — 1 or less, we can easily use Lagrange’s theorem 
(Theorem 9.6) to see that g(x) = 0 (mod p) for every integer x. b. 10 

19. By Exercise 27 of Section 9.1, j \ ord^ (n) e. Here, fin) — fipq) = 4 p'q', so j \ fiAp'q') = 

2 ip' — 1 )iq' — 1). Choose e to be a primitive root modulo p'. Then p' — 1 = fip'ffifinj), so 
p' — l|ord0 ( „)e. The decrypter needs e j = 1 (mod n), but this choice of e forces j — p' — 1, which 
will take quite some time to find. 

Section 9.3 

1. 4, 10, 22 

3. a. 2 b. 2 c. 5 d. 2 

5. a. 2 b. 2 c. 2 d. 3 

7. a. 7 b. 3 c. 21 d. 27 

9. 7, 13, 17, 19 

11. 3,13, 15,21,29,33 

13. Suppose that r is a primitive root of m, and suppose further that x 2 = 1 (mod m). Let x = r { 
(mod m) where 0 < t < p — 1. Then r 2t = 1 (mod m) . Because r is a primitive root, it follows that 
fim) | 2 1 so that It = kf (m) and t = kf im)/2 for some integer k. We have x = r l — — 

r (<fi(m)/ 2 )k = (—1)^ = ±1 (mod m), because r^" 1 ^ 2 = -1 (mod m). Conversely, suppose that m 
has no primitive root. Then m is not of one of the forms 2, 4, p a , or 2 p a with p an odd prime. 
So either 2 distinct odd primes divide m or m = 2 b M with M > 1 an odd integer and b > 1 or 
m=2 b with b > 3 or m = 8. If m = 8, note that 3 2 = 1 (mod 8) . In each of the other cases, we have 
f im) —2 C N with N odd and c > 3. From Theorem 9. 1 2, we know there are at least three solutions 
yi, y 2 , ys to y 2 = 1 (mod 2 C ), and certainly z = 1 (mod N) is a solution of x 2 = 1 (mod N). By 
the Chinese remainder theorem, there is a unique solution modulo 2 C N of the system x = y t 
(mod 2 C ), z = 1 (mod N) for i — 1, 2, 3. Because these solutions are distinct modulo m, at least 
one of them is not ± 1 (mod m) . 

15. By Theorem 9.12, we kiow that ord 2 *5 — fi2 k )/2. Hence, the 2 k ~ 2 integers 5f j — 0, 1, • • • , 
2 k ~ 2 — 1, are incongruent modulo 2k. Similarly, the 2 k ~ 2 integers — 5 J , j = 0, 1, • • • , 2 k ~ 2 — 1, 
are inconguient modulo 2 k . Note that 5-> cannot be congruent to —5* modulo 2 k where i 
and j are integers, because 5 7 = 1 (mod 4) but — 5* = 3 (mod 4). It follows that the integers 
1, 5, • • • , 5 2 -1 , —1, —5, • • • , — 5 2 -1 are 2 k ~ l incongruent integers modulo 2 k . Because 

f i2 k ) — 2 k ~ 1 and every integer of the form ( — 1)“ 5^ is relatively prime to 2 k , it follows that every 
odd integer is congruent to an integer of this form with a = 0 or 1 and 0 < ft = 2 k ~ 2 — 1. 



Answers to Odd-Numbered Exercises 691 


Section 9.4 

1. The values of ind 5 i, i = 1, 2 22 are 22, 2, 16, 4, 1, 18, 19, 6, 10, 3, 9, 20, 14, 21, 17, 8, 7, 

12, 15, 5, 13, 11, respectively. 

3. a. 7, 18 b. none 

5. 8,9, 20, 21, 29 (mod 29) 

7. all positive integers x = l, 12, 23, 24, 45, 46, 47, 67, 69, 70, 78, 89, 91, 92, 93, 100, 111, 115, 

116, 133, 137, 138, 139, 144, 155, 161, 162, 177, 183, 184, 185, 188, 199, 207, 208, 210, 221, 

229, 230, 231, 232, 243, 253, 254, 265, 275, 276, 277, 287, 299, 300, 309, 321, 322, 323, 331, 

345, 346, 353, 367, 368, 369, 375, 386, 391, 392, 397, 413, 414, 415, 419, 430, 437, 438, 441, 

459, 460, 461, 463, 483, 484, 485, 496, 505 (mod 506) 

9. Suppose that x 4 = — 1 (mod p) and let y =ind r x. Then —x is also a solution and by Exercise 8, 
ind r (— x) = ind r (— 1) + ind r (x) = (p — l)/2 + y (mod p — 1). So, without loss of generality, 
we may take 0 < y < (p — l)/2, or 0 < 4y < 2(p — 1). Taking indices of both sides of 
the congruence yields 4y = ind r (— 1) = (p — l)/2 (mod p — 1), again using Exercise 8. So 
4y = (p — l)/2 + m(p — 1) for some m. But 4y < 2 (p — 1), so either 4 y = (p — l)/2 and so 
p — 8y + 1 or 4y = 3(p — l)/2. In this last case, 3 must divide y, so we have p — 8(y/3) + 1. So 
in either case, p is of the desired form. Conversely, suppose p = 8k + 1 and let r be a primitive 
root of p. Take x = r k . Then x 4 = r 4k = r (p_1)/2 = -l ( mo d p) by Exercise 8. So this x is a 
solution. 

11. (1, 2), (0, 2) 

13. x = 29 (mod 32) ; x = 4 (mod 8) 

15. (0, 0, 1, 1), (0, 0, 1, 4) 

17. x = 17 (mod 60) 

19. We seek a solution to x k = a (mod 2 e ). We take indices as described before Exercise 1 1. Suppose 
a = (— 1)“5^ and x = (— l) y 5 a Then we have ind x k = ( ky , kS ) and ind a = (a, fi), so ky = a 
(mod 2) and kS = fi (mod 2 e ~ 2 ). Because k is odd, both congruences are solvable for y and S, 
which determine x. 

21. First we show that ord 2e 5 = 2 e ~ 2 . Indeed, </>(2 e ) = 2 e ~ l , so it suffices to show that the highest 
power of 2 dividing 5 2 ‘ — 1 is 2 e . We proceed by induction. The basis step is the case e — 2, 

which is true. Note that 5 2 ‘ 2 — 1 = (5 2 ‘ 3 - 1)(5 2 ‘ 3 + 1). The first factor is exactly divisible by 
2 e ~ x by the induction hypothesis. The second factor differs from the first by 2, so it is exactly 
divisible by 2, and therefore 5 2<! — 1 is exactly divisible by 2 e , as desired. Hence, if k is odd, 

the numbers ±5*, ±5 2 *, . . . , ±5 2 * k are 2 e ~ l incongruent klh power residues, which is the 
number given by the formula If 2 m exactly divides k, then 5* = —5* (mod 2 e ), so the formula 
must be divided by 2, hence the factor (k, 2) in the denominator. Further, 5 2 ” has order 2 e ~ 2 /2 m 
if m < e — 2 and order 1 if m > e — 2, so the list must repeat modulo 2 e every ord 2 e5 2m terms, 
whence the other factor in the denominator. 

23. a. From the first inequality in case (i) of the proof of Theorem 6. 10, if n is not square-free, the 
probability is strictly less than 2n/9, which is substantially smaller than (n — l)/4 for large n . If 
n is square-free, the argument following inequality (9.6) shows that if n has four or more factors, 
then the probability is less than n/8. The next inequality shows that the worst case for n = pip 2 
is when ^ = s 2 and ^ is as small as possible, which is the case stated in this exercise, 
b. 0.24999 ... 
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Section 9.5 

1. We have 2 2 = 4 (mod 101), 2 5 = 32 (mod 101), 2 10 = (2 5 ) 2 = 32 2 = 14 (mod 101), 2 20 = 
(2 10 ) 2 = 14 2 = 95 (mod 101), 2 25 = (2 5 ) 5 = 32 5 = (32 2 ) 2 32 = 1024 2 32 = 14 2 32 = 196 • 32 = 

-6 • 32 = -192 = 10 (mod 101), 2 50 = (2 25 ) 2 = 10 2 = 100 = -1 (mod 101), 2 100 = (2 50 ) 2 = 
(101-1) 

(— 1) = 1 (mod 101). Because 2 « #1 (mod 101) for every proper divisor q of 100, and 

because 2^ 101-1 ^ m 1 (mod 101), it follows that 101 is prime. 

3. 233 — 1 = 2 3 29, 3 116 = -1 (mod 233), 3 8 = 37 # 1 (mod 233) 

5. The first condition implies x Fn ~ l = 1 (mod F n ). The only prime dividing F n — 1 = 2 2 " is 2, and 
(F n — l)/2 = 2 2 * -1 , so the second condition implies 2^ F » -1 ^ 2 ^ 1 (mod F n ). Then by Theorem 
9. 18, F n is prime. 

7. See [Le80] 

9. Because n - 1 = 9928 = 2 3 17 • 73, we take F = 2 3 17 = 136 and R = 73, noting that F > R. We 
apply Pocklington’s test with a — 3. We check (using a calculator or computational software) that 
3 9928 = 1 (mod 9929) and (3 9928 / 2 - 1, 9929) = 1 and (3 9928 / 17 - 1, 9929) = 1, because 2 and 17 
are the only primes dividing F. Therefore, n passes Pocklington’s test and so is prime. 

11. Note that 3329 = 2 8 13 + 1 and 13 < 2 8 , so it is of the form that can be tested by Proth’s test. We 
try 2 (3329_1) / 2 = 2 1664 = 1 (mod 3329) (using a calculator or computational software). So Proth’s 
test fails for a — 2. Next we try a — 3 and compute 3 1664 = -1 (mod 3329), which shows that 
3329 is prime. 

13. We apply Pocklington’s test to this situation. Note that n — 1 = hq k , so we let F — q k and R — h 
and observe that by hypothesis F > R. Because q is the only prime dividing F, we need only 
check that there is an integer a such that a" -1 = 1 (mod n) and — 1, n) — 1. But both of 

these conditions are hypotheses. 

Section 9.6 

1. a. 20 b. 12 c. 36 d.48 e. 180 f. 388,080 g.8640 h. 125,411,328,000 

3. 65,520 

5. Suppose that m = 2*° ■ ■ • pi . Then k(m) = [A(2'°), . . . , 4>(pi s )l Furthermore, 

0(m) = 0(2'°)0(pj 1 ) • • • 4>(p l s). Because k{2^) — 1, 2, or 2' 0-2 when t 0 — 1, 2, or t 0 > 3, 
respectively, it follows that A(2'°) | 0(2'°) = 2' 0_1 . Because the least common multiple of a 
set of numbers divides the product of these numbers, or their multiples, we see that k(m) \ 0 (m). 

7. For any integer x with (x, n) — (x, m) — 1, we have x a = 1 (mod n) and x a = 1 (mod m). Then 
the Chinese remainder theorem gives us x a = 1 (mod [n, m ]). But because n is the largest integer 
with this property, we must have [n, m] — n, so m\n. 

9. Suppose that ax = b (mod m). Multiplying both sides of this congruence by gives 

fl A.(m)x = fl A.(m)-t^ ( m0( j m y Because a k ^ = 1 (mod m), it follows that x = a x ^ m) ~ l b (mod m). 
Conversely, let x 0 = a k(m) ~ l b (mod m). Then ax 0 = aa x(m) ~ i b = a x(m) b = b (mod m), so x 0 is a 
solution. 

11. a. First suppose that m — p a . Then we have x(x c_1 — 1) = 0 (mod p a ). Let s be a primitive root 
for p a ; then the solutions to x c_1 = 1 are exactly the powers s k with (c — l)k = 1 (mod <t>(p a )), 
and there are (c — 1, (f>(p a )) of these. Also, 0 is a solution, so we have 1 + (c — 1, 0(p a )) 
solutions all together. Now if m — p a y l • ■ ■ p“ r , we can count the number of solutions modulo p“' 
for each i. There is a one-to-one correspondence between solutions modulo m and the set of r- 
tuples of solutions to the system of congruences modulo each of the prime powers, b. Suppose 
(c — 1, 0(m)) = 2, then c — 1 is even. Because 4>{p a ) is even for all prime powers, except 2, we 
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have (c — 1, </>(/?“')) = 2 for each i. Then by part (a), we have the number of solutions = 3 r . If 2 1 
is a prime factor, then 0(m) = <p(m/2), and because x c and x have the same parity, x is a solution 
modulo m if and only if it is a solution modulo m/2, so the result still holds. 

13. Let n — 3pq, with p < q odd primes, be a Carmichael number. Then by Theorem 9.27, 
p - 1|3 pq - 1 = 3 (p — 1 )q + 3q — 1, so p — 1|3 q - 1, say, (p - l)a = 3q -\. Because q > p, 
we must have a >4. Similarly, there is an integer b such that (q — \)b — 3p — 1. Solving these 
two equations for p and q yields q = (2a + ab — 3 )/(ab — 9) and p = (2b + ab — 3 )/(ab — 9) = 
1 + (2b + 6 )/(ab — 9). Then because p is an odd prime greater than 3, we must have 
4 (ab — 9) < 2b + 6, which reduces to b(2a — 1) < 21. Because a > 4, this implies that b <3. 
Then 4 (ab — 9) < 2b + 6 < 12, so ab < 21/4, so a < 5. Therefore, a = 4 or 5. If 6 = 3, then the 
denominator in the expression for q is a multiple of 3, so the numerator must be a multiple of 3, 
but that is impossible because there is no choice for a that is divisible by 3. Thus, b = 1 or 2. The 
denominator of q must be positive, so ab > 9, which eliminates all remaining possibilities except 
a — 5, b — 2, in which case p — 11 and q — 17. So the only Carmichael number of this form is 
561 = 3- 11-17. 

15. Assume q < r. By Theorem 9.23, q — 1| pqr — 1 = (q — \)pr + pr — 1. Therefore, q — 1| pr — 1, 
say, a(q — 1) = pr — 1. Similarly, b(r — 1) = pq — 1. Because q < r, we must have a > b. 
Solving these two equations for q and r yields r = (p(a — 1) + a(b — 1 ))/(ab — p 2 ) and 
q — (p(b — 1) + b(a — 1 ))/(ab — p 2 ) = 1 + (p 2 + pb — p — b)/(ab — p 2 ). Because this 
last fraction must be an integer, we have ab — p 2 < p 2 + pb — p — b, which reduces to 
a(b — 1) < 2 p 2 + p(b — 1) or a — 1 < 2 p 2 /b + p(b — 1 )/b < 2 p 2 + p ■ So there are only 
finitely many values for a. Likewise, the same inequality gives us b(a — 1) < 2 p 2 + pb — p 
or b(a — 1 — p) < 2 p 2 — p. Because a > b and the denominator of the expression for q must 
be positive, we have that a > p + 1. If a — p + 1, we have (p -\- \)(q — \) — pq — p + q — \ — 
pr — 1, which implies that p\q, a contradiction. Therefore, a > p + 1, and so a — 1 — p is a 
positive integer. The last inequality gives us b < b(a — 1 — p) < 2 p 2 — p. Therefore, there are 
only finitely many values for b. Because a and b determine q and r, we see that there can be only 
finitely many Carmichael numbers of this form. 

17. We have q n (ab ) = (0 ab ) x W - l)/n = (a K ^b KM - - b KM + 1 + + b K(n) -2)/n = 

(a xw - l)(b XM - 1 )/n + ((a XM - 1) + (b XM - 1 ))/n = q n (a ) + q n (b) (mod n). At the last 
step, we use the fact that n 2 must divide (a XM — l)(b XM — 1), because k(n) is the universal 
exponent. 

Section 10.1 

1. 69, 76, 77, 92, 46, 11, 12, 14, 19, 36, 29, 84, 05, 02, 00, 00, 00 

3. 10 

5. a. a = 1 (mod 20) b. a = 1 (mod 30030) c. a = 1 (mod 111111) d. a = 1 (mod 2 25 - 1). 

7. a. 31 b. 715,827,882 c. 31 d. 195,225,786 e. 1,073,741,823 f. 1,073,741,823 

9. 8, 64, 15, 71, 36, 64, 15, 71, 36, . . . 

11. First we find that ord 77 8 is 10. Because ord 5 2 = 4, the period length is 4. 

13. Using the notation of Theorem 10.4, we have 0 (77) = 60, so ord 77 x 0 is a divisor of 60 = 2 2 3 • 5. 
Then the only possible values for s are the odd divisors of 60, which are 3, 5, and 15. Then we 
note that 2 2 = 1 (mod 3), 2 4 = 1 (mod 5), and 2 4 = 16 = 1 (mod 15). In each case we have shown 
that ord s 2 < 4. Hence by Theorem 10.4, the maximum period length is 4. 

15. 1, 24, 25, 18, 12, 30, 11, 10, 21 
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17. Check that 7 has maximal order 1800 modulo 2 25 — 1. To make a large enough multiplier, raise 7 
to a power relatively prime to 0(2 25 — 1) = 32,400,000, for example, to the 11th power. 

19. 665 

21. a. 8, 2, 8, 2, 8, 2, . . . b. 9, 12, 6, 13, 8, 18, 2, 4, 16, 3, 9, 12, 6, . . . 

Section 10.2 

1. We select k = 1234 for our random integer. Converting the plaintext into numerical equiv- 
alents results in 0700 1515 2401 0817 1907 0300 2423, where we filled out the last block 
with an X. Using a calculator or computational software, we find y = r k = 6 1234 = 517 
(mod 2551). Then for each block P, we compute 8 = P ■ b k = P ■ 33 1234 = P ■ 651 (mod 2551). 
The resulting blocks are 0700 • 651 = 1622 (mod 2551), 1515 • 651 = 1579 (mod 2551), 

2401 • 651 = 1839 (mod 2551), 0817 • 651 = 1259 (mod 2551), 1907 • 651 = 1671 (mod 2551), 
0300 • 651 = 1424 (mod 2551), and 2423 • 651 = 855 (mod 2551). Therefore, the ciphertext is 
(517, 1622), (517, 1579), (517, 1839), (517, 1259), (517, 1671), (517, 1424), (517, 855). To 
decrypt this ciphertext, we compute y p-1-a = 5172551-1-13 _ 5172537 _ 337 ( moc i 2551). Then 
for each block of the cipher text, we compute P = 337 • 8 (mod 2551). For the first block, we 
have 337 • 1622 = 0700 (mod 2551), which was the first block of the plaintext. The other blocks 
are decrypted the same way. 

3. RABBIT 

5. (y, s) = (2022, 833); to verify this signature, we compute V x = 20 22 833 801 2022 = 10 14 = 3 823 = 
V 2 (mod 2657) using computational software. 

7. Let (Sj = P]b k and 8 2 = P 2 b k as in the ElGamal cryptosystem. If Pj is known, it is easy to compute 
an inverse for P x modulo p. Then b k = P x 8i (mod p). Then it is also easy to compute an inverse 
for b k (mod p ). Then P 2 = b k 8 2 (mod p). Hence, the plaintext P 2 is recovered. 

Section 10.3 

1. a. 8 b. 5 c. 2 d. 6 e. 30 f. 20 

3. a. At each stage of the splicing, the kth wire of one section is connected to the S(k)th wire, where 
S(k) is the least positive residue of 3k — 2 (mod 50). b. At each stage of the splicing, the kth 
wire of one section is connected to the S(k)th wire, where S(k) is the least positive residue of 
21 K +56 (mod 76). c. At each stage of the splicing, the kth wire of one section is connected 
to the S(k)th wire, where S(k) is the least positive residue of 2k — 1 (mod 125). 

Section 11.1 

1. a. 1 b. 1,4 c. 1, 3, 4, 9, 10, 12 d. 1, 4, 5, 6, 7, 9, 11, 16, 17 

3. 1,-1, -1, 1 

5. a. = 70 1 - 1/2 = 7 5 = 492. 7 = 5 2 - 7 = 3- 7 = -1 (mod 11) b. (7, 14, 21, 28, 35) = 

(7, 3, 10, 6, 2) (mod 11) and three of these are greater than 11/2, so = (-1) 3 = -1 

7. We have — (y) by Theorem 11.4. Using Theorems 11.5 and 11.6, we have: If 
p = 1 (mod 8) then, = (1)(1) = 1. If p = 3 (mod 8), then = ( — 1)( — 1) = 1. If p = — 1 

(mod 8), then ( = (-1)(1) = -1. If p = -3 (mod 8), then ( ) = (1)(-1) = -1. 

9. Because p - 1 = -1, p - 2 = -2, . . . , (p + l)/2 = -{p - l)/2 (mod p), we have ((p - 1)/ 
2)! 2 = — (p — 1) ! = 1 (mod p) by Wilson’s theorem. (Because p = 3 (mod 4), we have that 
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(p — l)/2 is odd, so that (-l)( p-1)/2 = -1.) By Euler’s criterion, ((p — l)/2)! (p_1)/2 = 

(p) (§) ' ' ‘ ( (P ~p 1)/2 ) = (— l) 1 (mod p), by definition of the Legendre symbol. Because 
(( p — l)/2)! = ±1 (mod p), and (p — l)/2 is odd, we have the result. 

11. If p = 1 (mod 4), (f) = (f ) (f) = 1 • 1 = 1. If p = 3 (mod 4), (f) = (f ) (f) = 
(-1) ■ 1 = -1. 

13. a. x = 2 or 4 (mod 7) b. x = 1 (mod 7) c. no solutions 

15. Suppose that p is a prime that is at least 7. At least one of the three incongruent integers 2, 3, and 
6 is a quadratic residue of p, because if neither 2 nor 3 is a quadratic residue of p, then 2 • 3 = 6 is 
a quadratic residue of p. If 2 is a quadratic residue, then 2 and 4 are quadratic residues that differ 
by 2; if 3 is a quadratic residue, then 1 and 3 are quadratic residues that differ by 2; while if 6 is a 
quadratic residue, then 4 and 6 are quadratic residues that differ by 2. 

17. a. Because p = 4n + 3, 2n + 2 = (p + l)/2. Then x 2 = (±a" +1 ) 2 = a 2n + 2 = a (p+1)/2 = 
a ( P-i)/ 2 a = 1 • a = a (mod p), using the fact that a (p-1) / 2 = 1 (mod p), because a is a quadratic 
residue of p. By Lemma 11.1, there are only these two solutions, b. By Lemma 1 1. 1, there are 
exactly two solutions to y 2 = 1 (mod p), namely, y = ±1 (mod p). Because p = 5 (mod 8), —1 
is a quadratic residue of p and 2 is a quadratic nonresidue of p. Because p = 8n + 5, we 
have An + 2 = (p — l)/2 and 2n + 2 — (p + 3)/4. Then (±a n+1 ) 2 = a (p+3)/4 (mod p) and 
(±2 2n+1 a n+1 ) 2 = 2 (p_1)/2 a (p+3)/4 = — a (p+3) / 4 (mod p) by Euler’s criterion. We must show that 
one of a (p+3) / 4 or — a (P+ 3 )/ 4 = a (mod p). Now, a is a quadratic residue of p, so = 1 

(mod p) and therefore a fp_1)/4 solves jc 2 = 1 (mod p). But then a (p_1)/4 = ±1 (mod p), that is, 
a (p+ 3)/4 = ± a ( mo d p) or ± a (p+3)/4 s a ( m od p ) t a s desired. 

19. jc s 1, 4, 11, or 14 (mod 15) 

21. 47, 96, 135, 278, 723, 866, 905, 954 (mod 1001) 

23. If Xq = a (mod p e+1 ), then = a (mod p e ). Conversely, if x% = a (mod p e ), then x% — a + bp e 
for some integer b. We can solve the linear congruence 2x 0 y = —b (mod p), say, y — y 0 . 

Let x 1 = x 0 + yoP e . Then x 2 = x% + 2 x 0 y 0 p e = a + p e (b + 2x 0 y 0 ) = a (mod p e+l ) because 
p | 2x 0 y 0 + b. This is the induction step in showing that x 2 = a (mod p e ) has solutions if and 
only if (p = 1. 

25. a. 4 b. 8 c. 0 d. 16 

27. Suppose pi, p 2 , . . . , p n are the only primes of the form 4k + 1. Let N = 4(/? 1 /? 2 • • • p n ) 2 + 1. 
Let q be an odd prime factor of N. Then q / p t , i — 1, 2, . . . , n, but N = 0 (mod q), so 
4(p l p 2 ■ ■ ■ p n ) 2 = — 1 (mod q) and therefore (^) = 1, so q = 1 (mod 4) by Theorem 1 1.5. 

29. Let b h b 2 , b 3 , and b 4 be four incongruent modular square roots of a modulo pq. Then each 
b t is a solution to exactly one of the four systems of congruences in the text. For convenience, 
let the subscripts correspond to the lowercase Roman numerals of the systems. Suppose two of 
the Vs were quadratic residues modulo pq. Without loss of generality, say b x = y 2 (mod pq) 
and b 2 = y 2 (mod pq). Then from systems (i) and (ii), we have that y 2 = b 1 = x 2 (mod q) and 
y 2 = b 2 = —x 2 (mod q). Therefore, both jc 2 and — x 2 are quadratic residues modulo q, but this is 
impossible because q = 3 (mod 4). The other cases are identical. Next we show that one of the 
modular square roots is a quadratic residue. Because a is a quadratic residue modulo p, there 
exists b such that (±b) 2 = a (mod p). Likewise, there exists c such that (±c) 2 = a (mod q). One 
of b or —b is a quadratic residue modulo p, by Exercise 11. Without loss of generality, suppose 
b = d 2 (mod p). Likewise, suppose c = e 2 (mod q). Solve the system of congruences x = d 
(mod p), x = e (mod q). Then x 2 = b (mod p) and x 2 = c (mod q). Thus, x 2 satisfies one of the 
four congruences in the text and hence must be one of the V Therefore, this b { is a quadratic 
residue modulo pq. 
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31. Let r be a primitive root for p and let a = r s (mod p) and b = r l (mod p) with 1 < s, t < p — 1. 
If a = b (mod p), then s = t and so s and t have the same parity. By Theorem 1 1.2, we have part 
(i). Further, we have ab = r s+t (mod p). Then the right-hand side of (ii) is 1 exactly when s and 
t have the same parity, which is exactly when the left-hand side is 1. This proves part (ii). Finally, 
because a 2 = r 2s (mod p) and 2s is even, we must have that a 2 is a quadratic residue modulo p, 
proving part (iii). 

33. If r is a primitive root of q , then the set of all primitive roots is given by [r k :(k, = (k, 2 p) — 

1}. So the p — 1 numbers [r k : k is odd and k ^ p, 1 < k < 2 p) are all the primitive roots of q. 
On the other hand, q has (q — l)/2 = p quadratic residues, which are given by [r 2 , r 4 , . . . , r 2p }. 
This set has no intersection with the first one. 

35. First suppose p = 2 2 " + 1 is a Fermat prime and let r be a primitive root for p. Then (f>(p) = 2 2 ". 
Then an integer a is a nonresidue if and only if a — r k with k odd. But then (k, </> (p)) — 1, so a is 
also a primitive root. Conversely, suppose that p is an odd prime and every quadratic nonresidue 
of p is also a primitive root of p. Let r be a particular primitive root of p. Then r k is a quadratic 
nonresidue and hence a primitive root for p if and only if k is odd. But this implies that every odd 
number is relatively prime to <j)(p), so 4>(p) must be a power of 2. Thus, p — 2 b + 1 for some b. 
If b had a nontrivial odd divisor, then we could factor p as a difference of b powers, contradicting 
the primality of of p. Therefore, b is a power of 2 and so p is a Fermat prime. 

37. a. We have q — 2p + 1 = 2(4 k + 3) + 1 = Sk + 7, so (|) = 1 by Theorem 1 1.6. Then by Euler’s 
criterion, 2 ^-b /2 = 2 P = \ (mod q). Therefore, q \ 2 P - 1. b. 1 1 = 4(2) + 3 and 23 = 2( 1 1) + 1, 
so 23 | 2 11 - 1 = M n , by part (a); 23 = 4(5) + 3 and 47 = 2(23) + 1, so 47 | M 23 ; 251 = 4(62) + 3 
and 503 = 2(251) + 1, so 503 | M 25 j. 

39. Let q = 2k + 1. Because q does not divide 2 P + 1, we must have, by Exercise 38, that k = 0 or 3 
(mod 4). That is, k = 0, 3, 4, or 7 (mod 8). Then q — 2(0, 3, 4, or 7) + 1 = ±1 (mod 8). 

41. Note that p +1) ) = ^ ^ because j 2 is a perfect square. Then 

(^) = £?:? (^) = ££2 (I) = £?. (i) - 1 = -1- Here we have used the 
method in the solution to Exercise 10 to evaluate the last sum, and the fact that as j runs through 
the values 1 through p — 2, so does j. 

43. Let r be a primitive root of p. Then x 2 = a (mod p) has a solution if and only if 2 ind r x = ind r a 
(mod p — 1) has a solution in ind r x. Because p — 1 is even, the last congruence is solvable if and 
only if ind r a is even, which happens when a — r 2 , r 4 , . . . , r p_1 , i.e., (p — l)/2 times. 

45. q — 2(4 k + 1) + 1 = 8& + 3, so 2 is a quadratic nonresidue of q. By Exercise 33, 2 is a primitive 
root. 

47. Check that q = 3 (mod 4), so —1 is a quadratic nonresidue of q. Because 4 = 2 2 , we have 

(y) = ( — 1)(1) = - 1. Therefore, -4 is a nonresidue of q. By Exercise 33, -4 is 
a primitive root. 

49. a. By adding (2b) 2 to both sides, we complete the square, b. There are four solutions to 
x 2 = C + a (mod pq). From each, subtract 2b. c. DETOUR 

51. a. By noting this, the second player can tell which cards dealt are quadratic residues, because the 
ciphertext will also be quadratic residues modulo p. b. All ciphers will be quadratic residues 
modulo p. 

53. 1,3,4 
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Section 11.2 

1 . a. -1 b. 1 c. 1 d. 1 e. 1 f. 1 

3. If p = 1 (mod 6), there are 2 cases: If p = 1 (mod 4), then = 1 and = (^) — ^ = 1. 
So = 1. If P = 3 (mod 4), then = -1 and ( j) = - (§), so = (-1)(-1) = 1. If 
P = -1 (mod 6) and p = 1 (mod 4), then (|) = 1 ■ (f) = (x) = -!• If P = 3 

(mod 4), then (f ) = (=*) (|) = (-1) (- (f )) = (f ) = (^) = -1. 

5. p = 1, 3, 9, 19, 25, or 27 (mod 28) 

7. a. Fj = 2 21 + 1 = 5. We find that 3 (F i - 1} / 2 = 3 ^ 1} / 2 = 3 2 = 9 = -1 (mod Fj). Hence by Pepin’s 
test, we come (to the already obvious) conclusion that F x = 5 is prime, b. F 3 = 2 23 + 1 = 257. 
We find that 3 ^ 3 -D /2 = 3 (257-i)/2 = 3128 = ( 38)16 = 136 16 = ( 136 4)4 = 64 4 s { 64 2)2 = 241 2 = 
256 = — 1 (mod 257). Hence by Pepin’s test, F 3 = 257 is prime, c. 3 32768 = 3255-1283128 = 
94 128 3 128 = _i ( mod f 4 ). 

9. a. The lattice points in the rectangle are the points (i, j) where 0 < i < p/2 and 0 < j < q/2. 
There are the lattice points (i, j) with i — 1, 2, (p - l)/2 and j = 1, 2, . . . , (q — l)/2. 
Consequendy, there are (p — l)/2 • (q — 1) /2 such lattice points, b. The points on the diagonal 
connecting O and C are the points (x, y) where y = ( q/p)x . Suppose that x and y are integers 
with y = (q/p)x. Then py = qx. Because (p, q) = 1, it follows that p \ x, which is impossible 
if 0 < x < p/2. Hence, there are no lattice points on this diagonal, c. The number of lattice 
points in the triangle with vertices O, A, and C is the number of lattice points ( 1 , j) with 
i — 1, 2, . . . , (p — l)/2 and 1 < j < iq/p. For a fixed value of i in the indicated range, there 
are [iq/p] lattice points (i, j ) in the triangle. Hence, the total number of lattice points in the 
triangle is / p]- d. The number of lattice points in the triangle with vertices O, 

B, and C is the number of lattice points (i, j ) with j — 1, 2, . . . , (q — l)/2 and 1 < i < jp/q. 
For a fixed value of j in the indicated range, there are [jp/q] lattice points (/, j) in the triangle. 
Hence the total number of lattice points in the triangle is ^f~^ 2 \jp/q]. e. Because there are 
(p — l)/2 • (q — 1) /2 lattice points in the rectangle, and no points on the diagonal OC, the sum of 
the numbers of lattice points in the triangles OBC and OAC is (p — l)/2 • (q — l)/2. By parts (b) 
and (c), it follows that YffJi^Uq/p] + = (P ~ l)/2 • (q - l)/2. By Lemma 

11.3, it follows that — (-1 ) r(p ’ 9) and = (-1 ) r(?>p) where T(p, q) — J^f~i^ 2 [jp/q] 

and T(q, p) = ^jf = ^ 2 [jq/ p]- We conclude that — ( — 1) Cp— 1 )/ 2 -(^— 1 )/ 2 _ This is the 

law of quadratic reciprocity. 

11. First suppose a —2. Then we have p = ±q (mod 8) and so by Theorem 11.6. 

Now suppose a is an odd prime. If p = q (mod 4a), then p = q (mod a) and so (|) — (£). 
And because p = q (mod 4), (p - l)/2 = (q - l)/2 (mod 2). Then by Theorem 1 1.7, = 

(£) (— i)(P— l)/2-(a— 1)/2 = (£) ( — 1)( ^ i)/2-(a l)/2 = But if p = _ q (mod 4a ), then p = -q 
(mod a) and so = (£). And because p = —q (mod 4), (p - l)/2 = (q - l)/2 + 1 (mod 2). 
Then by Theorem 11.7, (j) = (f) (-l^-DAta-i)/ 2 = (_i)((<?-D/2+iM«-i)/2 _ 

( — 1 )(«— t)/ 2 . The general case follows from the multiplicativity of the Legendre 

symbol. 

13. a. Recall that e xl — 1 if and only if x is a multiple of lit. First, we compute (e < - 2ni l n ^ k ) n = 
e (2ni/n)nk _ ( g (27n))* — \ k — so e Qxi/n)k j g an nt h root Q f un hy. Now, if (k, n ) = 1, then 
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((2 ni/n)k)a is a multiple of 2ni if and only if n\a. Therefore, a = n is the least posi- 
tive integer for which (e( 27r '/") fc ) a = 1. Therefore, e ( ' 2nl ^ n ^ k is a primitive nth root of unity. 
Conversely, suppose (k, n) = d> 1. Then (e (2jr,/ ")*)("/*) = e (2 ni)k/d = ^ because k/d is an 
integer, and so in this case e (2jr, /”) fc is not a primitive nth root of unity, b. Let m = l + kn 


where k is an integer. Then = £ 


i -l+kn [Ifkn 


= f*. Now suppose £ is a primitive nth 


root of unity and that = £*, and without loss of generality, assume m>l. From the first 
part of this exercise, we may take 0 <1 <m <n. Then 0 = - 1). Hence, 

j-m-t — \ Because n is the least positive integer such that £" = 1, we must have m — l — 0. c. 
First, f(z + 1) = e 2ni(z+l) - e“ 27r,(z+1) = e 2niz e 2ni - e - 27riz e~ 2ni = e 2niz l - e~ 2niz l = /(z). 
Next, /(-z) = e~ 2niz - e 2niz = -(e 2niz - e~ 2niz ) = -/(z). Finally, suppose /(z) = 0. Then 
0 = e 2niz — e _2jr,z = e ~ 2niz (e Alzlz — 1), so e Aniz = 1. Therefore, Aniz = 2Tiin for some in- 
teger n, and so z = n/2. d. Fix y and consider g(x) — x n — y n and h(x) — (jc — y)(£x — 
£ _1 y) ■ ■ ■ (£" _1 * — £ _( " _1) ;y) as polynomials in x. Both polynomials have degree n. The lead- 
ing coefficient in h(x) is £ 1+2+ "' + "“ 1 = £ n(n-l )/2 __ (g n )( n ~ 1)/2 __ ^ because n — 1 is even. So 
both polynomials are monic. Further, note that g(£~ 2k y) — (&~ 2k y) n — y n — y n — y n — 0 for 
k = 0, 1, 2, . . . , n — 1. Also, h(r 2k y ) has ^ k ^~ 2k y - £~*y) = (£ ~ k y - £~ fc y) = 0 as one of 
its factors. So g and h are monic polynomials sharing these n distinct zeros (because —2k runs 
through a complete set of residues modulo n, by Theorem 4.7) By the fundamental theorem of 
algebra, g and h are identical. 

e. Let x — e 2niz and y — e~ 2niz in the identity from part (d). Then the right-hand side be- 

comes n*=o {< ke2niz - r k e- 2niz ) = U n k Z l o (e 2jn(z+ * /7l) - e - 2 *‘( z +*/")) = nVof^z + “) = 
f(z) Uti )/2 / + -) FIfc=(n+i )/2 / ^ • From the identities in part (c), this last prod- 
uct becomes rG=J,+i)/ 2 /( z + ^) = U^' 2 /(* + = U^' 2 f(z + 1 - 0 = 

nt"i 1)/2 ~ - So the product above is equal to /(z) n*l _ i 1)/2 

f^z — — ^ =f(z) nfe 1)/2 ^( Z + ^ ( Z _ ' T ^ en not * n £ t * iat the left side of the 

identity in part (d) is (e 2lzlz ) n — (e~ 2niz ) n = e 2mnz — e~ 2mnz = f(nz ) finishes the proof. 

f. For /= 1, 2, ...,(p — l)/2, let k t be the least positive residue of la modulo p. Then 

Uti 1)/2 ^ = r& 1)/2 by the perodicity of / established in part (c). We break 

this product into two pieces lit,,- ,,,2 / (f ) X\k,> P n / (f ) = rit,<,,/2 / (f ) X\k l>P li 

- / (t9 = IW /(f) n^n/2 / (^) = n& 1)/2 /(f) <-«*. where JV is 
the number of k t exceeding p/2. But by Gauss’ lemma, (— l) N = . This establishes the 

identity, g. Let z — l/p and n—q in the identities in parts (e) and (f). Then we have ^ = 


j) ! f (?) = n& ‘ )/2 n -' ,V2 r (7 + ;) 7 (7 ■ - f ) ' - n& 


'-D/2 


n!£7 1)/2 /' 

n[r,“ /2 /(— + —) / (— — --) (— l)if- 1 )/ 2l te- 1 )/ 2 i where we have used the fact that 
/(— z) = — /(z) and the fact that there are exactly (p — l)/2 • (9 — l)/2 factors in the dou- 
ble product. But, by symmetry, this is exactly the expression for (— l)^ -1 )/ 2 '^- 1 )/ 2 , w hich 
completes the proof. 
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15. Because p = 1 (mod 4), we have . And because p = 1 (mod q) for all primes 

q < 23, then = 1. Then if a is an integer with 1 < a < 29 and prime factorization 

a — p\p 2 ■ ■ ■ Pk> then each p t < 29 and = \ k = 1. So there are no quadratic 

nonresidues modulo p less than 29. Further, because a quadratic residue must be an even power 
of any primitive root r, then r 1 cannot be less than 29. 


17. a. If a € T, then a = qk for some k = 1, 2, . . . (p — l)/2. So 1 < a < q(p — l)/2 < ( pq — l)/2. 
Further, because k <(p — l)/2, and p is prime, we have (p, k ) = 1. Because (q, p) = 1, 
then (a, p) = ( qk , p) = 1, so a € S, and hence T C S. Now suppose a e S — T. Then 
1 < a < ( pq — l)/2 and (a, p) = 1, and because a gT, then a ^ qk for any k. Thus, (a, q) = 1, 
so (a, pq) — 1, and so a € R. Thus, S - T C R. Conversely, if a e R, then 1 < a < ( pq - l)/2 
and (a, pq) — 1, so certainly (a, q) — 1, and so a is not a multiple of q, and hence a & T. Hence, 
a e S - T. Thus, R c S - T. Therefore, R — S - T. b. Because by part (a), R — S - T we 
have riaes a = FU* a WaeT a = A(q ■ 2q ■ ■ ■ ((p - V)/2 )a) =Aq(P- X)l2 (( p - l)/2)! = 

A ^ ((p - l)/2) ! (mod p) by Euler’s criterion. Note that (pq - l)/2 = p(q - l)/2 + (p - 

l)/2, so that we can evaluate Y\ a€S a = ((p- 1) !)C^-D / 2 (( p _ l)/2)! =(— 1 )(?" 1 )/ 2 (( p - l)/2)! 
(mod p) by Wilson’s theorem. When we set these two expressions congruent to each other 
modulo p and cancel, we get A = (— l)^- 1 )/ 2 as desired, c. Because the roles of p and 
q are identical in the hypotheses and in parts (a) and (b), the result follows by symmetry, d. 
Assume that (-1) (9_1)/2 ^ = (-l)^- 1 )/ 2 By part (b), A = ±1 (mod p), and by part (c), 
A = ±1 (mod q). So by the Chinese remainder theorem, we have A = ±1 (mod pq). Conversely, 
suppose A = 1 (mod pq). Then A = 1 (mod p) and A = 1 (mod q). Then by parts (b) and (c), 
we have (-l)te -1 )/ 2 = A = 1 (mod p) and (-l) (p-1) / 2 = A = 1 (mod q). We conclude 

that (-l)te -1 )/ 2 = (-1 )(p— D/ 2 5 because each side is equal to 1. A similar argument 

works if A = — 1 (mod pq). e. If a is an integer in R, it is in the range 1 < a < (pq — l)/2 and 
therefore its additive inverse modulo pq is in the range (pq + l)/2 < — a < pq — 1 in the set of 
reduced residue classes. By the Chinese remainder theorem, the congruence a 2 = 1 (mod pq) has 
exactly four solutions, 1, —1, b, and —b (mod pq), and the congruence a 2 = — 1 (mod pq) has 
solutions if and only p = q = 1 (mod 4), and in this case it has exactly four solutions i, —i,ib, 
and —ib (mod pq). Now for each element a e R, (a, pq) = 1, so a has a multiplicative inverse 
v. By the remark above, exactly one of v, —v is in R. We let U be the set of those elements that 
are their own inverse or their own negative inverse, that is, let U = {a e R\a 2 = ±1 (mod pq)}. 
Then when we compute A, all other elements will be paired with another element that is either 
its inverse or the negative of its inverse. Thus, we have A — n«±n a (mod pq). So if 

aeR aeU 

p = q = 1 (mod pq), then A = ± J~[ a = ±(1 • b • i • ib) = b 2 i 2 = ^1 (mod pq). Conversely, in 
aeU 

the other case, A = ]~[ a = ±(1 • c) ^ ±1 (mod pq), which completes the proof, f. By parts 
aeU 

(d) and (e), we have that (— 1) (9-1) / 2 ^ = (-l) (p-1) / 2 ^ if and only if p = q = 1 (mod 4). 
So if p = q = 1 (mod 4), we have ^ ^ . But if p = 1 (mod 4) while q = 3 (mod 4), then 

we must have — ^ ^ w * 1 * c * 1 means we must change the sign and have 


(f> 
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The case where p = 3 (mod 4) but q = 1 (mod 4) is identical. If p = q = 3 (mod 4), then we must 
have — so that we must have — ft)'® , which concludes the proof. 


Section 11.3 

1. a. 1 b. -1 c. 1 d. 1 e. -1 f. 1 

3. 1 , 7, 13, 17, 19, 29, 37, 49, 61, 67, 71, 77, 83, 91, 101, 103, 107, 113, or 119 (mod 120) 

5. The pseudo-squares modulo 21 are 5, 17, and 20. 

7. The pseudo-squares modulo 143 are 1, 3, 4, 9, 12, 14, 16, 23, 25, 27, 36, 38, 42, 48, 49, 53, 56, 
64, 69, 75, 81, 82, 92, 100, 103, 108, 113, 114, 126, and 133. 

9. Because n is odd and square-free, n has prime factorization n = P\P2 • • • p r . Let b be one of the 
( pi — l)/2 quadratic nonresidues of p lf so that ^ = —1. By the Chinese remainder theorem, 

let a be a solution to the system of linear congruences 
x = b (mod p x ) 
x = 1 (mod p 2 ) 


x = \ (mod p r ). 


^ (A) = (A) = -*■ (A) - (AH (A) = (A) = '• 

Therefore, (J) = (a) (£)■■■ (a) = (-1) ■ 1- ■ ■ 1= -1. 

11. a. Note that ( a , b ) = (b, r\) = (r h r 2 ) = ■ ■ • = (r„_i, r n ) = 1 and because the q t are even, 
the r t are odd. Because r 0 = b and a = (mod 6 ), we have (|) = ( 7 ^^ = (jr'j = 
(^) (?) (“ l) (r °“ 1)/2 - (ri - 1)/2 by Theorem 1 1 . 1 1. If ej = 1, then (§) = (-i)('-o-i)/ 2 -(«vi-i )/2 
If e t = -1, then = (— l)(' 0 -D /2 and wehave = (_ 1) (f to -l)/2.(r 1 +l)/2 ^ = 

( — 1.) ( r ° b/2*( r i l)/2 ^ = ( — !) ( r o - b/2’ ( € i r i — 1)/2 ^ f because (n + l)/2 and (-rj - l)/2 
have the same parity. Similarly, = (-l)( r i- 1 )/2-(e 2 r 2 -i)/2 

SO (|) = ( — l)( r o — i)/2‘(*i r i— i)/2+(rj— l)/2-(€ 2 r 2 — 1)/2 . Proceed inductively until the last step, 

when ( 7 ^) = (r^) = b. If either r t _i = 1 (mod 4) or €,-r f = 1 (mod 4), then (r,- _ x — l)/2 • 

(ep-j — l)/2 is even. Otherwise, that is, if r { _i = e,r ; - = 3 (mod 4), then (r { _i — l)/2 • (e,r,- — l)/2 
is odd. Then the exponent in part (a) is even or odd as T is even or odd. 


13. a. -1 b. -1 c. -1 


15. Let = p“'p “ 2 • • • p“ r and n 2 = q^q 2 2 • ■ ■ q^ s be the prime factorizations of ni and n 2 . Then by 
the definition of the Kronecker symbol, wehave (^j) = (^) * ■ ■ ■ 1 • ■ ■ ’ = 

("i) (^)‘ 


17. If a is odd, then by Exercise 16, we have = (j^)- By Theorem 1 1. 10(f), we have 
using Exercise 16 again. If a is a multiple of 4, say, a = 2 s t with 
s > 2 and t odd. Exercise 16 gives (— 1) (# — D/z-twi — !)/2 and = 
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( — l)Cf— 1 )/2-(«2— i)/ 2 Because rt] = n 2 (mod 1 1 1), we have = (j^), and because 

4 | a, n\ = n 2 (mod 4), and so (— 1) — !)/ 2 - (» i— i)/ 2 = (— 1) (^ — !)/2- (n 2 — 1)/2 n ow a = q (mod 4), so 
s > 2. If s is 2, then certainly (^) = . If s > 2, then 8 | a and n x = n 2 (mod 8), so 

(i) = <- = <- ^ = (Z)- (ft) - (ft). 

19 . If a = 1 (mod 4), then \a\ = 1 (mod 4) if a > Oand |a| m — 1 (mod 4) if a < 0, so by Exercise 16 we 
have (ppy) = (^p) = (p|) = (-l) (|a|-1) / 2 = lif a > 0 and = — lifacO. Ifa = 0 (mod 4), 

a = 2 s t with t odd and \t\ > 3, then by Exercise 16 (ppx) = (ppi) (— 1) ( ' -1 ^ 2 Be- 

cause s >2, check that ( j^py) = 1, (| a \ — 1 = 7 (mod 8) if s > 2). Also, (— l)^ -1 )/ 2 ^^p^ = 
( _ i)(<-D /2 (^i) = (- i)(t-D/ 2 H\t\-D /2 = 1 if t > 0 and = -1 if t < 0. 


Section 11.4 

1. We have 2 ( 561 -D/ 2 = 2 280 = (2 10 ) 28 = (-98) 28 = (-98 2 ) 14 = 67 14 = (67 2 ) 7 = l 7 = 1 (mod 561). 
Furthermore, we see that (six) = 1 because 561 = 1 (mod 8). But 561 = 3 • 11 • 17 is not prime. 

3. Suppose that n is an Euler pseudoprime to both the bases a and b. Then a^" -1 ^ 2 = (j[) and 
bin- 1 )/ 2 m (mod n). It follows that (ab) <n ~ 1 ^ 2 = (^) (|) = (^) (mod n). Hence, n is an 

Euler pseudoprime to the base ab. 

5. Suppose that n = 5 (mod 8) and n is an Euler pseudoprime to the base 2. Because n = 5 (mod 8), 
wehave (|) = — 1 . Because n is an Euler pseudoprime to the base 2, we have 2 (n ~ = (|) = — 1 
(mod n). Write n — l = 2 2 t where t is odd. Because 2 (n-1) / 2 = 2 2r = —1 (mod n), n is a strong 
pseudoprime to the base 2. 

7. n = 5 (mod 40) 

9. 80 

Section 11.5 

1. 1229 

3. Because p, q = 3 (mod 4), —1 is not a quadratic residue modulo p or q. If the four square roots 
are found using the method in Example 9.19, then only one of each possibility for choosing + or 
— can yield a quadratic residue in each congruence, so there is only one system that results in a 
square. 

5. If Paula chooses c = 13, then v = 713, which is a quadratic residue of 1411, and which has 
square root u = 837 (mod 1411). Her random number is 822, so she computes x = 822 2 = 1226 
(mod 1411) and y = vx = 713 • 961 = 858 (mod 1411). She sends jc = 1226, y = 858 to Vince. 
Vince checks that xy = 1226 • 858 = 713 (mod 1411) and then sends the bit b = 1 to Paula, so 
she computes 7 — 822 = 1193 (mod 1411) and ur — 837 • 1193 = 964 (mod 1411), which she 
sends to Vince. Because Vince sent b = 1, he computes 964 2 = 858 (mod 1411) and notes that it 
is indeed equal to y. 

7. The prover sends x = 1403 2 = 1,968,409 = 519 (mod 2491). The verifier sends {1, 5}. The prover 
sends y = 1425. The verifier computes y 2 z = 1425 2 • 197 • 494 = 519 = x (mod 2491) 
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9. a. 959, 1730, 2895, 441, 2900, 2684 b. 1074 c. 1074 2 • 959 • 1730 • 441 • 2684 = 336 = 403 2 
(mod 3953) 

11. If Paula sends back a to Vince, then a 2 = w 2 (mod n), with a ^ w (mod n). Then a 2 — w 2 — 

( a — w)(a + w) = 0 (mod n). By computing (a — w, n) and (a + w, n), Vince will likely produce 
a nontrivial factor of n. 

Section 12.1 

1. a. .4 b. .416 c. .923076 d. .53 e. .009 f. .000999 

3. a. 3/25 b. 11/90 c.4/33 

5. b — 2 r 3 s 5 t l u , with r, s, t, and u nonnegative integers 

7. a. pre-period 1, period 0 b. pre-period 2, period 0 c. pre-period 1, period 4 d. pre-period 
2, period 0 e. pre-period 1, period 1 f. pre-period 2, period 4 
9. a. 3 b. 11 c. 37 d.101 e.41and271 f.7andl3 

11. Using the construction from Theorem 12.2 and Example 12.1, we use induction to show that c k — 
k — 1 and y k — (kb — k + 1 )/(b — l) 2 . Clearly, c l — c and y\ — b/(b — l) 2 . The induction step is as 
follows: c k+1 = \ by k ] = [(kb 2 - bk + b)/(b - l) 2 ] = [(k(b - l) 2 + b(k + 1) - k)/(b — l) 2 ] = 
[k + (b(k + 1) - k)/(b - l) 2 ] = k, and y k+1 m ((k + 1 )b - k)/(b - l) 2 , if k ^ b — 2. If 
k = b — 2, we have c b _ 2 = b — 1, so we have determined b — 1 consecutive digits of the expansion. 
From the binomial theorem, (x + 1)“ = ax + 1 (mod x 2 ), so ord (b-vpb — b— 1, which is the 
period length. Therefore, we have determined the entire expansion. 

13. The base b expansion is (.100100001 . . .) b , which is non-repeating and therefore by Theorem 
12.4 represents an irrational number. 

15. Let y be a real number. Set c 0 — [y] and and y 1 = y — c 0 . Then 0 < y\ < 1 and y — c 0 + y^ 
From the condition that c k < k for k = 1, 2, 3, . . ., we must have c x = 0. Let c 2 = [2 y{\ and 
y 2 = 2 y x - c 2 . Then y l = (c 2 + y 2 )/ 2, so y = c 0 + cj \ ! + c 2 / 2! + y 2 / 2! Now let c 3 = [3y 2 ] 
and y 3 = 3 y 2 - c 3 . Then y 2 = (c 3 + y 3 )/ 3 and so y = c 0 + q/ 1 ! + c 2 / 2! + c 3 /3! + y 3 /3!. 
Continuing in this fashion, for each k = 2, 3, . . ., define c k = [ky k _ x \ and y k = ky k _ l — c k . 
Then y — c 0 + q/1! + c 2 / 2! + c 3 /3! + • • • + c k /k! + y k /k\. Because each y k < 1, we kiow that 
limjt_ >00 y k /k\ — 0, so we conclude that y — c 0 + q/1! + c 2 / 2! + c 3 /3! -| b c k /k\-\ . 

17. In the proof of Theorem 12.2, the numbers py n are the remainders of b n upon division by p. 
The process recurs as soon as some y t repeats a value. Because 1/p = (.qc 2 . . . c p _ 3 ) has period 
length p — 1, we have by Theorem 12.4 that ord p b = p — 1, so there is an integer k such that 
b k = m (mod p). So the remainders of mb n upon division by p are the same as the remainders 
of b k b n upon division by p. Hence, the nth digit of the expansion of m/p is determined by the 
remainder of b k+n upon division by p. Therefore, it will be the same as the (k + n)th digit of 1/p. 

19. n must be prime with 2 a primitive root. 

21. Let yb-i -1 = a + e, where a is an integer and 0 < e < 1. Then [ yb->] — b[yb^~ x ] — [(a + e)6] — 
b[a + e] = ab + [eb] — ab = [eft]. Because 0 < e < 0, this last expression is an integer between 
0 and b — 1. Therefore, 0 < \yb^] — b[yb^~ l ] <b — 1. Now consider the sum ilyb 2 ] — 
b[yb j ~ l ])/bj . Factor out \/b N to clear fractions and this becomes (1 /b N ) (b N ~ j [yb j ] - 

xhis sum telescopes to (— b N [y~\ + [yb N ])/b N — [yb N ]/b N because [y] = 0. 
But [yb N ]/b N = (yb N - yb N + [yb N ])/b N = y- (yb N - [yb N ])/b N . But 0 <yb N - 
[ yb N ] < 1, so taking limits as N ->■ oo of both sides of this equation yields y = ~ 

b[yb j - l ])/b j . By the uniqueness of the base b expansion given in Theorem 12.1, we must have 
Cj — [yb-i] — b[yb-i -1 ] for each j. 
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23. Let a — y ^ , and 


£* = V<Zin.Then«- 

n, ^ 10'! 


= £ 

i=*+i 


(~1) Q ‘ 

10 t! 


< Y — -.As in 

_ .4r, io« ! 

i=*+l 


the proof of Corollary 12.5.1, it follows that a — — < 

I 4*1 

no real number C as in Theorem 12.5. Hence, a must be transcendental. 


10(*+b! 


, which shows that there can be 


25. Suppose e = h/k. Then k\(e — 1 — 1/1! — 1/2! — • • • 1/ A: !) is an integer. But this is equal to 
*!(l/(* + 1)! + 1 /(* + 2)! + • • •) = 1 /(* + 1) + l/(* + l)(ft + 2) + • • • < l/(* + 1) + 1 /(k + 

l) 2 + • • • = 1/ k < 1. But k\{\/{k + 1) ! + \/{k + 2) ! H ) is positive, and therefore cannot be 

an integer, a contradiction. 


Section 12.2 

1. a. 15/7 b. 10/7 c.6/31 d. 355/113 e. 2 f. 3/2 g. 5/3 h. 8/5 

3. a. [1; 2, 1, 1,2] Ml; 1,7, 2] c.[2;9] d. [3; 7, 1, 1, 1, 1, 2] e. [-1; 13, 1, 1, 2, 1, 1, 2, 2] 

f. [0; 9, 1, 3, 6, 2, 4, 1, 2] 

5. a. 1, 3/2, 4/3, 7/5, 18/13 b. 1, 2, 15/8, 32/17 c. 2, 19/9 d. 3, 22/7, 25/8, 47/15, 72/23, 
119/38, 310/99. e. -1, -12/13, -13/14, -25/27, -63/68,-88/95, -151/163, -390/421, 
-931/1005 f. 0, 1/9, 1/10, 4/39, 25/244, 54/527, 241/2352, 295/2879, 831/8110 

7. a. 3/2 > 7/5 and 1 < 4/3 < 18/13 b. 2 > 32/ 17 and 1 < 15/8 c.vacuous d.22/7> 47/15 > 
119/38 and 3 < 25/8 < 72/23 < 310/99 e. -12/13 > -25/27 > -88/95 > -390/421 and 
-1 < -13/14 < -63/68 < -151/163 < -931/1005 f. 1/9 > 4/39 > 54/527 > 295/2879 and 
0 < 1/10 < 25/244 < 241/2352 < 831/8110 

9. Let a — r/s. The Euclidean algorithm for l/a — s/r < 1 gives s — 0(r) + s; r — a 0 (s) + a\, and 
continues just like for r/s. 

11. Proceed by induction. The basis case is trivial. Assume qj > fj for j < k. Then q k — 
a k<lk-\ + 4*- 2 ^ a kfk - 1 + fk —2 ^ fk - 1 + fk -2 = fk> as desired. 

13. By Exercise 10, we have pjp n - \ = [a„; a„_i, . . . , a 0 ] = [flo! a h • * ■ > a J = Pn/Qn = r / s 
if the continued fraction is symmetric. Then q n — p n -\ — s and p„ — r, so by Theorem 
12.10 we have p n q n _j - q nPn _j = rq n _ x - s 2 = (-1)" -1 . Then rq n _ x = s 2 + (-1)"" 1 and so 
r\s 2 - (-1)". Conversely, if r\s 2 + (-1)" -1 , then (-1)" -1 = p n q n -i - q n P n -\ = - Pn- I s - 

Sor\p n _iS + (— 1)" _1 andhencer|(5 2 + (— 1)" _1 ) — (p n -\S + (— l)" -1 ) —s(s — p n _i). Because 
s, p n _i < r and (r, s) = 1, we have s — p n _i- Then [a„; a n _ h . . . , a 0 ] = p n /p n -\ — r/s — 
[a 0 -a h a n ]. 

15. Note that the notation [a 0 ; a h . . . , a„] makes sense, even when the a/s are not integers. 

Use induction. Assume the statement is Irue for k odd and prove it for k + 2. Define a' k = 
[a k \ a k+ i, a k+ ^\ and check that a' k < [a k \ a fc+1 , a k+ 2 + x] = a' k + x'. Then [a 0 ; aj, . . . , a k+ 2] = 
[a 0 ; a h , a' k ] > [a 0 ; a h ... ,a' k + x '] = [a 0 ; a h . . . , a k+2 + x]. Proceed similarly for k even. 


Section 12.3 

1. a.[l;2, 2,2, ...] b. [1; 1, 2, 1, 2, . . .] c. [2; 4, 4, . . .] d. [1; 1, 1, 1, . . .] 

3. 312689/99532 

5. If a\ > 1, let A — [a 2 ; 03, . . .]. Then [a 0 ; a h . . .] + [— a 0 — 1; 1, aj — 1, a 2 , a 3 , • • •] = a 0 + 
"i+HM) + (-0 - 1 + 1+ _^_) = Similarly if m = 1. 
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7. If a = [a 0 ; a h a 2 , ■ ■ .], then 1/a = l/[a 0 ; a 2 , . . .] = 0 H ^ — = [0; a 0 , aj, a 2 , . . .]. Then 

«o+ ai +... 

the kth convergent of 1/a is [0; a 0 , a h a 2 , , a k -i\ = l/[a 0 ; a h a 2 , ... , a^_i], which is the 

reciprocal of the (k — 1) st convergent of a. 

9. By Theorem 12.19, such a p/q is a convergent of a. Now (V5 + l)/2 = [1; 1, 1, . . .], so q n = /„ 
(Fibonacci) and p n = q n +\- Then lim„_ >00 <ln- llq n = li m n ->00 Qn-J Pn-l = 2/(V5 + 1) = (V5 - 
l)/2. So lim^oo ((V5 + l)/2 + (?„_!/?„)) = (V5 + l)/2 + (V5 - l)/2 = V5. So fc/5 + 

l)/2 + ( q n -i/<ln ) > c only finitely often. Whence, 1/ ^(V5 + l)/2 + (q n -i/q n )j q„ < V( c< 7^) 
only finitely often. The following identity finishes the proof. Note that a n —a for all n. Then 
|“ - (Pn/q n )\ = |(«n+l Pn + Pn-l) / ^n+XQn + 1) “ (/>n/9n)| = |(-(P»9»-1 “ Pn-l<ln))l 

0 ?«(“?« + ?».-i))| = + ( q n -i/q n ))■ 

11. If y8 is equivalent to a, then ^3 = (aa + b)/(ca + rf). Solving fora givesa = (— dfi + b)/(c/3 — a), 
so a is equivalent to /?. 

13. By symmetry and transitivity (Exercises 11 and 12), it suffices to show that every rational 
number a = m/n (which we can assume is in lowest terms) is equivalent to 1. By the Euclidean 
algorithm, we can find a and b such that ma + nb — 1. Let d — m + b and c — a — n. Then 
(aa + b)/(ca + d) = 1. 

15. Note that Pk, t qk-i ~ Qk.tPk - 1 = tiPk-lQk-l ~ Qk-lPk-i ) +(Pjfc-2<7ifc-l - Pk-lQk-i) = ±1. Thus, 
p k i and q kit are relatively prime. 

17. See, for example, the classic work by O. Perron, Die Lehre von den Kettenbriichen, Leipzig, 
Teubner (1929). 

19. 179/57 

21. Note first that if b < d, then \a/b — c/d\ < 1/2 d 2 implies that | ad - bc\ < b/2d < 1/2, but 
because b ^ d, \ ad — bc\ is a positive integer, and so is greater than 1/2. Thus, b > d. 
Now assume that c/d is not a convergent of the continued fraction for a/b. Because the 
denominators of the convergents increase to b, there must be two successive convergents 
Pn/Qn and p n+ i/q n+l such that q n < d < q n+h Next, by the triangle inequality we have 

1/2 d 2 > \- - -I = I- - ^5- 1 - I- - > I- - M - , because the n + 1st 

I b d \ \ d q n \ \b q„\ I d q n \ \ q n+l q n \ 

convergent is on the other side of a/b from the nth convergent. Because the numerator of the 

first difference on the right side is a nonzero integer, and applying Corollary 12.3 to the second 
difference, we have the last expression greater than or equal to 1 /dq n — 1/q n+ iq n . If we multiply 

through by d 2 , we get — > — ( 1 — J > 1 — because d/q n > 1. From which we 

2 q n \ q n + if q n +i 

deduce that 1/2 < d/q n+l . 

The convergents p„/q„ and p n +i/q n +\ divide the line into three regions. As c/d could be in 
any of these, there are three cases. Case 1 : If c/d is between the convergents, then — < 

dq n 

because the numerator of the fraction is a positive integer and the denominators on both sides 

of the inequality are the same. This last is less than or equal to ^ n+l — — = — - — because 

| 9n+ 1 | qn+iqn 

the n + 1st convergent is farther from the nth convergent than c/d and where we have applied 
Corollary 12.3. But this implies that d > q n+h a contradiction. Case 2: If c/d is closer to p n /q n , 

then again — < — — — < — — — because a/b is on the other side of the nth convergent 
dq n | d q n \ \b d\ 

from c/d. But this last is less than 1/2 d 2 , and if we multiply through by d, we have \/q n < 1/2 d. 


!L_ Pn 
d q n 
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which implies that q n > 4, a contradiction. Case 3: If c/4 is closer to p n+ \/q n+ \, then with the 
same reasoning as in Case 2, we have — - — < — — < - - — < 1/24 2 . But this implies 

dq n + 1 | d q n+ i \ \b d\ 

that d/q n+ i < 1/2, contradicting the inequality established above. Having exhausted all the cases, 
we must conclude that c/d must be a convergent of the continued fraction for a/b. 

Section 12.4 

1. a. [2; 1, 1, 1, 4] b. [3; 376] c. [4; 1, 3, 1, 8] d. [6; 1, 5, 1, 12] e. [7; 1, 2, 7, 2, 1, 14] 
f. [9; 1, 2, 3, 1, 1, 5, 1, 8, 1, 5, 1, 1, 3, 2, 1, 18] 

3. a. [2; 2] b. [1 ; 2, 2, 2, 1, 12, 1] c. [0; 1, 1, 2, 3, 10, 3] 

5. a. (23 + a/ 29)/ 10 b. (-1 + 3^5) /2 c.(8 + a/82)/6 

7. a. </l0 b. Vl7 c. >/26 d. V37 

9. a. We have a 0 = V4 2 - 1, a 0 = d - 1, P 0 = 0, 0 O = 1, P t = (d - 1)(1) -0 = 4- 1, 0 1 = 

(( d 2 - 1) - (4 - 1) 2 )/1 = 2d - 2, aj = id - 1 + V^T)/(2(d - 1)) = 1/2+ 

1/2 y/(d + l)/(4 - 1), fll = 1, P 2 = 1(2 4 - 2) - (4 - 1) = 4 - 1, 0 2 = (4 2 - 1 - (4 - 
l) 2 )/(2 d - 2) = 1, c* 2 = (4 - 1 + Vd 2 ^!)/!, a 2 = 2d - 2, P 3 = 2(4 - 1)(1) - (4 - 1) = 
d - 1 = P h Q 3 = ((4 2 - 1) - ( 4 - 1) 2 ) /1 = 2d - 2 = Q h so a = [d - 1; 1, 2(4 - 1)]. b. 
We have a 0 = a/4 2 — d, a 0 = Wd 2 — 4] = 4 — 1, because {d — X) 2 < d 2 — d < d 2 . Then P 0 = 

0, Q 0 =l,P 1 = d-l,Q i = d-l,a l = (( 4 - 1) + V4 2 ^4)/(4 - 1) = 1 + ^4/(4 - 1), = 

2, P 2 = 4 - 1, g 2 = 1, a 2 = ((4 - 1) + Vd^d)/1, a 2 = 2(4 - 1), P 3 = P lt g 3 = Q x . 
Therefore, V4 2 - 4 = [4 - 1; 2, 2(4 - 1)]. c. [9; 1, 18], [10; 2, 20], [16; 2, 32], [24; 2, 48] 

11. a. Note that 4 < V4 2 + 4 <4 + 1. Then cx 0 = V4 2 + 4, a 0 — d,P Q = 0, Q 0 = 1, /*i = 

4, Qi = 4, = (4 + V4 2 + 4)/ 4, a t = [24/4] = (4 - l)/2, because 4 is odd. Also, P 2 = 

d-2,Q 2 = d,ct 2 = (d-2 + V4 2 + 4)/4, ((4 - 2) + 4)/4 <a 2 <(4-2 + 4 + l)/4, so 
q 2 = 1, P 3 = 2, Q 3 = 4, a 3 = (2 + V4 2 + 4)/4, a 3 = 1, P 4 = 4 - 2, Q 4 = 4, a 4 = (4 - 2 + 

(4 - 2 + 4)/4 = (4 - l)/2 <a 4 <(4-2 + 4 + l)/4, so a 4 = (4 - l)/2, P 5 = 
4, 0 5 = 1, a 5 = (4 + V4 2 + 4)/l, a 5 = 24, P 6 = 4 = 0 6 = 4 = 0!. Thus, a = 

[4; (4 - l)/2, 1, 1, (4 - l)/2, 24], b. Note that 4 - 1 < < d Then a Q = *Jd 2 - 4, 

a 0 = 4 - 1, P 0 = 0, 0o = 1, Pi = 4 - 1, 0! = 24 - 5, a x = (4 - 1 + V4 2 - 4)/(2 4 - 5), (4 - 
1 + 4 - l)/(24 - 5 ) < a 0 < (4 - 1 + 4)/(24 - 5) and 4 > 3 so a 3 = 1, P 2 = 4 - 4, 0 2 = 

4, a 2 = ( 4 - 4 + a 2 = (4 - 3)/2, P 3 = 4 - 2, 0 3 = 4-2, a 3 = (4 - 2 + 

V4^4)/(4 - 2), a 3 = 2, P 4 = 4 - 2, 0 4 = 4, a 4 = (4 - 2 + V42^4)/4, a 4 = (4 - 
3)/2, P 5 = 4 - 4, 0 5 = 24 - 5, a 5 = (4 - 4 + V4^4)/(2 4 - 5), a 5 = 1, P 6 = 4 - 1, 0 6 = 

1, a 6 = (4 - 1 + V4 2 - 4)/l, a 6 = 24 - 2, P 7 = 4 - 1 = P 1; 0 7 = 24 - 5 = 0 X . Thus, 

a = [4 - 1; 1, (4 - 3)/2, 2, (4 - 3)/2, 1, 24 - 2], 

13. Suppose a/ 4 has period length 2. Then a/ 4 = [a;c, 2a] from the discussion preceding 
Example 12.16. Then a/ 4 = [a; y] with y = [c; 2a] = [c; 2a, y] = c + l/(2a + (1/y)) = 

(2acy + c + y)/(2 ay + 1). Then 2ay 2 — 2a cy — c = 0, and because y is positive, we have 

y = (2 ac + V(2ac) 2 + 4(2a)c)/(4a) = (ac + y/{ac) 2 + 2ac)/(2a). Then V4 = [a; y] = a + 
(1/y) = a + 2 a/(ac + ^ (ac) 2 + 2ac) = y/a 2 + 2a/c, so 4 = a 2 + 2 a/c, and b = 2 a/c is 
an integral divisor of 2a. Conversely, let a = Va 2 + b and b\2a, say, kb = 2a. Then oq = 
[Va 2 + b] — a, because a 2 < a 2 + b < (a + l) 2 . Then P 0 = 0, Q 0 = 1, Pj = a, 0! = 6, aj = 
(a + Va 2 + 6)/fc, aj = 4A:, P 2 = a, 0 2 = 1, a 2 = (a + Va 2 + 6)/l, ^2 — 2a,P 3 — a — P h 0 3 = 
6 = 0i, so a = [a; 4&, 2a], which has period length 2. 

15. a. no b. yes c. yes d. no e. yes f. no 
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17. Let a — (a + Vb)/c. Then -1 /a' — -(c)/(a - yfb) — ( ca + yfb^)/(b — a 2 ) — (A + yfB)/C, 
say. By Exercise 16, 0 < a < yfb and yfb — a < c < yfb + a < 2 yfb. Multiplying by c gives 
0 < ca < V be 2 and y/bc 2 — ca <c 2 < y/bc 2 + ca < 2 y/bc 2 . Thatis, 0 < A < yfB and — A < 
c 2 < yfB + A < 2 yfB. Multiply yfb — a < c by yfb + a to get C = b — a 2 < yfbc 2 + ca = 

A + yfB. Multiply c < yfb + a by yfb — a to get yfB - A = yfbc 2 — ac <b — a 2 = C. So, 

— 1/a' satisfies all the inequalities in Exercise 16, and therefore is reduced. 

19 . Start with a 0 — fTf +3^ + 1 (this will have the same period because it differs from fTf by an 
integer) and use induction. Apply the continued fraction algorithm to show a 3/ = y/W k + 3 k — 2 ■ 
3*—i + 2/(2 • 3*-‘), i = 1, 2, . . . , k, but a 3k+3i = y/D~ k + 3 k - 2/(2 • 3*'), i = 1, 2, . . . , k - 1, 
and a 6k = fTf + 3 k + 1 = a 0 . Because a,- 7^ a 0 for i < 6k, we see that the period is 6k. 

Section 12.5 

1. Note that 19 2 - 2 2 = (19 - 2)(19 + 2) = 0 (mod 119). Then (19 - 2, 119) = (17, 119) = 17 and 
(19 + 2, 119) = (21, 119) = 7 are factors of 119. 

3. 3119 - 4261 

5. We have 17 2 = 289 = 3 (mod 143) and 19 2 = 361 = 3 • 5 2 (mod 143). Combining these, we have 
(17 • 19) 2 = 3 2 5 2 (mod 143). Hence, 323 2 = 15 2 (mod 143). It follows that 323 2 - 15 2 = (323 - 
15)(323 + 15) = 0 (mod 143). This produces the two factors (323 — 15, 143) = (308, 143) = 11 
and (323 + 15, 143) = (338, 143) = 13 of 143. 

7. 3001-4001 

Section 13.1 

1. a. (3, 4, 5), (5, 12, 13), (15, 8, 17), (7, 24, 25), (21, 20, 29), (35, 12, 37) b. those in part (a) 
and (6, 8, 10), (9, 12, 15), (12, 16, 20), (15, 20, 25), (18, 24, 30), (21, 28, 35), (24, 32, 40), 
(10, 24, 26), (15, 36, 39), (30, 16, 34) 

3. By Lemma 13.1, 5 divides at most one of x, y, and z. If 5 / x or y, then x 2 = ±l (mod 5) and 
y 2 = ± 1 (mod 5). Then z 2 = 0, 2, or -2 (mod 5). But ±2 is not a quadratic residue modulo 5, so 
z 2 = 0 (mod 5), whence 5 | z. 

5. Let k be an integer > 3. If k = 2n + 1, let m = n + 1. Then m and n have opposite parity, m > n 
and m 2 — n 2 — 2n + 1 = k, so m and n define the desired triple. If k has an odd divisor d > 1, 
then use the construction above for d and multiply the result by k/d. If A: has no odd divisors, then 
k — 2> for some integer j > 1. Let m — 2^ -1 and n — 1. Then k — 2 mn, m > n, and m and n have 
opposite parity, so m and n define the desired triple. 

7. Substituting y = x + 1 into the Pythagorean equation gives us 2x 2 + 2x + 1 = z 2 , which is 
equivalent to m 2 — 2 z 2 = —1 where m = 2x + 1. Dividing by z 2 yields m 2 /z 2 — 2= — \/z 2 . Note 
that m/z > 1, 1/z 2 = 2 — m 2 /z 2 = (\/2 + m/z)(\/2 — m/z) < 2{yf2 — m/z). So by Theorem 
12.18, m/z must be a convergent of the continued fraction expansion of y/2. Further, by the proof 
of Theorem 12.13, it must be one of the even-subscripted convergents. Therefore, each solution 
is given by the recurrence m n+1 = 3 m n + 2 z n , z n + 1 = 2m„ + 3 m n . (See, e.g.. Theorem 13.11.) 
Substituting x back in yields the recurrences of Exercise 6. 

9 . See Exercise 15 with p — 3. 

11. (9, 12, 15), (35, 12, 37), (5, 12, 13), (12, 16, 20) 

13. x = 2m, y = m 2 - 1, z = m 2 + 1, m > 1 

15. primitive solutions given by x = (m 2 — pn 2 )/ 2, y — mn, z — (m 2 + pn 2 )/ 2 where m > J~pn 
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17. Substituting /„ = f n+2 - f n+1 and f n+3 = f n+2 + f H+1 into (/„/„ +3 ) 2 + (2 f n+1 f n+2 ) 2 
yields (/„ +2 - /„ +1 ) 2 (/„ +2 + / n+1 ) 2 + 4/ 2 +1 / 2 +2 = (/ 2 +2 - / 2 +1 ) 2 + 4/ 2 +1 / 2 +2 = / 3 4 5 * 7 +2 - 
2/„ 2 +1 /„ 2 +2 + /„ 4 +1 + 4/ 2 +1 / 2 +2 = f n \ 2 + 2 / 2 +1 / 2 +2 + /„ 4 +1 = (/ 2 +2 + / 2 +1 ) 2 , proving the 
result. 

19. the point (1, 0) and all points (r, s ) with r — (t 2 - 1 )/(f 2 + 1) and s — -2 t/(t 2 + 1), with t 
rational 

21. the point (1, -1) and all points (r, s ) with r = (t 2 — t — l)/(t 2 + 1) and s = (1 — 2t)/(t 2 + 1) 
with t rational 

23. the point (- 1, 1) and all points (r, s ) with r — (1 - r 2 )/(l + 1 + 1 2 ) and s = (f 2 + 2t)/{t 2 + 1 + 1) 
with t rational 

25. Suppose jc and y are rational numbers such that x 2 + y 2 — 3. Then there exists integers p, q, and 
r such that x = p/r and y = q/r, where we assume without loss of generality that x and y have 
equal denominators. Then we have p 2 + q 2 = 3 r 2 . Further, without loss of generality, we may 
assume p, q and r are not all even, because we could divide the equation by 4 and have another 
solution. First suppose r is odd. Then r 2 = 1 (mod 4) so p 2 + q 2 = 3 (mod 4). Because a square 
modulo 4 must be congruent to either 0 or 1, there are no solutions to this last congruence. Now 
suppose r is even. Then r 2 = 0 (mod 4), so that p 2 + q 2 = 0 (mod 4). The only solutions to this 
congruence requires that p and q are both even, which contradicts our assumption that p, q and 
r are not all even. Therefore, there are no rational points on the circle x 2 + y 2 — 3. 

27. the point (0, 0, 1) and all points (r, s, t) where r — —2u/(u 2 + v 2 — 1), s — —2 v/(u 2 + v 2 — 1) 
and t = (m 2 + v 2 + 1 )/(w 2 + v 2 - 1) with u and v rational 

Section 13.2 

1. Assume without loss of generality that x <y. Then x n + y n = x 2 x n ~ 2 + y 2 y n ~ 2 < (x 2 + 

y 2 )yn - 2 =z 2yn- 2 < z 2 z n-2 = z n 

3. a. If p | x, y, or z, then certainly p \ xyz. If not, then by Fermat’s Little Theorem, x p ~ x = y p ~ x = 

z p ~ x = 1 (mod p). Hence, 1 + 1 = 1 (mod p), which is impossible, b. We know a p = a (mod p) 
for every integer a. Then x p + y p = z p (mod p) implies x + y = z (mod p), so p \ x + y — z- 

5. Let x and y be the lengths of the legs and let z be the hypotenuse. Then jc 2 + y 2 = z 2 - If the 

area is a perfect square, we have A — ^xy = r 2 . Then, if x = m 2 — n 2 , and y = 2 mn, we have 
r 2 = mn(m 2 — n 2 ). All of these factors are relatively prime, so m = a 2 , n = b 2 , and m 2 — n 2 = c 2 , 
say. Then, a 4 — b 4 = c 2 , which contradicts Exercise 4. 

7. We use the method of infinite descent. Assume there is a nonzero solution where \x\ is minimal. 
Then ( x , y) = 1. Also x and z cannot both be even, because then y would be odd and then 
z 2 = 8 (mod 18), but 8 is not a quadratic residue modulo 16. Therefore, x and z are both 
odd, because 8y 4 is even. From here it is easy to check that (x, z) — 1. We may also assume 
(by negating if necessary) that x = 1 (mod 4) and z = 3 (mod 4). Clearly, x 2 > \z\. We have 
8y 4 = x 4 — z 2 = (x 2 — z){x 2 + z). Because z = 3 (mod 4), we have x 2 — z = 2 (mod 4), so 
m — ( x 2 — z)/2 is odd, and n = (x 2 + z)/4 is an integer. Because no odd prime can divide both m 
and n, we have (m, n) — 1, m, n > 0 and mn — y 4 , whence m — r 4 and n — s 4 , with (r, s ) = 1. So 
now r 4 + 2^ 4 = m + 2 n — x 2 . This implies (x, r) = 1, because no odd prime divides r and jc but not 
s, and r and x are both odd. Also, \x\>r 2 > 0. Now consider 2s 4 = (x 2 — r 4 ) — (x — r 2 )(x + r 2 ). 
Then s must be even because a difference of squares is not congruent to 2 (mod 4), so s = 2t and 
32r 4 = (jc — r 2 )(x + r 2 ). Recalling jc = 1 (mod 4) and r is odd, we have U = (jc + r 2 )/ 2 is odd 
and V — (jc — r 2 )/ 16 is an integer. Again (I/, V) = 1 and UV — t 4 , but we don’t know the sign of 
jc. So U = ±m 4 and V — ±u 4 , depending on the sign of jc. Now r 2 — ±(u 4 — 8u 4 ). But because u 
is odd, we can rule out the case with the minus sign (or else r 2 = 7 (mod 8)). Therefore, we must 
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have the plus sign (hence, x is positive), and we have u 4 — 8u 4 = r 2 . Finally, |v| > 0 because 
\x + r 2 1 > 0. So we haven’t reduced to a trivial case. Then u 4 — U < \x + r 2 1/2 < x, so |u| < x, 
and so \x | was not minimal. This contradiction shows that there are no nontrivial solutions. 

9. Suppose that x — a/b, where a and b are relatively prime and b ^ 0. Then y 2 = (a 4 + b 4 )/b 4 , 
from which we deduce that y — z/b 2 from some integer z . Then z 2 = a 4 + b 4 , which has no 
nonzero solutions by Theorem 13.3. Because b ^ 0, it follows that z ^ 0. Therefore, a — 0, and 
hence x — 0, and consequently y — ±1. These are the only solutions. 

11. If x were even, the y 2 — x 3 + 23 = 3 (mod 4), which is impossible, so x must be odd, making 
y even, say, y = 2v. If x = 3 (mod 4), then y 2 = 3 3 + 23 = 2 (mod 4), which is also impossible, 
so x = 1 (mod 4). Add 4 to both sides of the equation to get y 2 + 4 = 4v 2 + 4 = x 3 + 27 = 

(x + 3)(x 2 -3x + 9). Thenz = x 2 -3x + 9= l- 3 + 9 = 3 (mod 4), so a prime p = 3 (mod 4) 
must divide z. Then 4v 2 + 4 = 0 (mod p) or v 2 = — 1 (mod p). But this shows that a prime 
congruent to 3 modulo 4 has — 1 as a quadratic residue, which contradicts Theorem 11.5. Therefore, 
the equation has no solutions. 

13. This follows from Exercise 4 and Theorem 13.2. 

15. Assume that n / xyz, and ( x , y, z) — 1. Now (— x) n — y n + z n — (y + z)(y n ~ 1 — y n ~ 2 z + 

I- z" -1 ), and these factors are relatively prime, so they are nth powers, say, y + z = a n , 

and y n ~ 1 — y n ~ 2 z H h z n_1 — a", whence x — aa. Similarly, z + x — b n , and (z n_1 — 

z n~ 2 x + |- x n ~ l ) = P n , -y = bp,x + y = c n , and (x n_1 - x n ~ 2 y + h y n_1 ) = y n , 

and — z = cy. Because x n + y n + z" = 0 (mod p), we have p \ xyz, say, p \ x. Then y n = 
(x n ~ l — x n ~ 2 y + • — |- y n_1 ) = y n_1 (mod p). Also, 2x = b n + c n + (—a)" = 0 (mod p), so 
by the condition on p, we have p \ abc. If p \ b, then y = —bf} = 0 (mod p), but then p \ x and 
y, a contradiction. Similarly, p cannot divide c. Therefore, p \ a, so y = — z (mod p), and so 

of” = (y n_1 — y n ~ 2 z -\ 1- z n_1 ) = ny" _1 = ny n (mod p). Let g be the inverse of y (mod p); 

then ( ag) n = n (mod p), which contradicts the condition that there is no solution to w n = n 
(mod p). 

17. 3, 4, 5, 6 

19. If m > 3, then modulo 8 we have 3" = — 1 (mod 8), which is impossible, so m — 1 or 2. If m — 1, 
then 3" = 2 - 1 = 1, which implies that n = 0, which is not a positive integer, so we have no 
solutions in this case. If m — 2, then 3" = 2 2 — 1 = 3, which implies that n = 1, and this is the 
only solution. 

21. a. Substituting the expressions into the left-hand side of the equation yields a 2 + b 2 + (3ab — c) 2 = 
a 2 + b 2 + 9 a 2 b 2 - 6 abc + c 2 — ( a 2 + b 2 + c 2 ) + 9 a 2 b 2 - 6 abc. Because (a, b, c ) is a solution 
to Markoff’s equation, we substitute a 2 + b 2 + c 2 = 3 abc to get the last expression equal to 
3 abc + 9 a 2 b 2 — 6 abc = 9 a 2 b 2 — 3 abc = 3ab(3ab — c ), which is the right-hand side of Markoff’s 
equation evaluated at these expressions, b. Case 1: If x — y — z, then Markoff’s equation 
becomes 3x 2 = 3 xyz, so that 1 = yz. Then y = z = 1 and then x = 1, so the only solution in this 
case is (1, 1, 1). 

Case 2: If x — y ^ z, then lx 2 + z 2 — 3 x 2 z, which implies that x 2 |z 2 or jc | z, say dx — z- 
Then lx 2 + d 2 x 2 = 3 dx 3 or 2 + d 2 = 3 dx or 2 = d(3x — d). So d\2, but because jc / z, we must 
have d — 2. Then 3x — d — 1, so that x — 1 = y and z — 2, so the only solution in this case is 
(1, 1, 2). 

Case 3: Assume x < y < z- From z 2 — 3 xyz + x 2 + y 2 + z 2 , we apply the quadratic 
formula to get 2 z = 3xy ± y/9x 2 y 2 - 4{x 2 + y 2 ). Note that Sx 2 y 2 - 4x 2 - 4y 2 — 4x 2 (y 2 - 
1) + 4 y 2 (x 2 — 1) > 0, so in the “minus” case of the quadratic formula, we have 2z < 

3*y — y/9 x 2 y 2 — Sx 2 y 2 = 3xy — xy = 2xy, or z < xy. But 3 xyz = x 2 + y 2 + z 2 < 3 z 2 , so 
that xy < z, a contradiction; therefore, we must have the “plus” case in the quadratic formula and 
2z = 3xy + yj9x 2 y 2 — 4(jc 2 + y 2 ) > 3 xy, so that z > 3xy — z. This last expression is the formula 
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for the generation of z in part (a). Therefore, by successive use of the formula in part (a), we will 
reduce the value of x + y + z until it is one of the solutions in case 1 or case 2. 

23. Let € > 0 be given then the abc conjecture gives us max(|a|, \b\, |c|) < K (e)rad(abc) l+( for 
integers (a, b) — 1 and a + b — c. Set M — log K(e)/ log 2 + (3 + 3e). Suppose x, y, z, a, b, c 
are positive integers with (x, y) = 1 and x a + y b — c z , so that we have a solution to Beal’s equation. 
Assume min (a, b, c ) > M. From the abc conjecture, and because rad(x“y 6 y c ) — rad(xyz), 
we have max(x a , y b , y c ) < K(c)rad(xyz) l+e < (xyz) l+e . If max(x, y, z) = x, then we would 
have x a < A'(6)x 3< ^ 1+t \ Taking log’s of both sides yields a < log K(e)/ log x + (3 + 3e) < 
log K (e)/ log 2 + (3 + 3e) = M, a contradiction. Similarly if the maximum is y or z- Therefore, 
if the abc conjecture is true, there are no solutions to the Beal conjecture for sufficiently large 
exponents. 

Section 13.3 

1. a. 19 2 + 4 2 b. 23 2 + 1 1 2 c. 37 2 + 9 2 d. 137 2 + 9 2 

3. a. 5 2 + 3 2 b. 9 2 + 3 2 c. 10 2 + 0 2 d.21 2 + 7 2 e. 133 2 + 63 2 f.448 2 + 352 2 

5. a. I 2 + l 2 + l 2 b. 8 2 + 5 2 + l 2 c. 3 2 + l 2 + l 2 d. 3 2 + 3 2 + 0 2 e. not possible f. not 

possible 

7. Let n = x 2 + y 2 + z 2 = 4 m (8£ + 7). If m = 0, then see Exercise 6. If m > 1, then n is even, so 
none or two of x, y, z are odd. If two are odd, x 2 + y 2 + z 2 = 2 or 6 (mod 8), but then 4 / n, a 
contradiction, so all of x, y, z are even. Then 4 m_1 (8£ + 7) = (|) 2 + (|) 2 + (|) 2 is the sum of 
three squares. Repeat until m — 0 and use Exercise 6 to get a contradiction. 

9. a. 10 2 + l 2 + 0 2 + 2 2 b. 22 2 + 4 2 + l 2 + 3 2 c. 14 2 + 4 2 + l 2 + 5 2 d.56 2 + 12 2 + 17 2 + l 2 

11. Let m = n — 169. Then m is the sum of four squares: m — x 2 + y 2 + z 2 + w 2 . If, say, x, y, z are 
0, then n = w 2 + 169 = w 2 + 10 2 + 8 2 + 2 2 + l 2 . If, say, x, y are 0, then n = z 2 + w 1 + 169 = 

z 2 + w 2 + 12 2 + 4 2 + 3 2 . If, say, x is 0, then n = y 2 + z 2 + w 2 + 169 = y 2 + z 2 + w 2 + 12 2 + 5 2 . 

If none are 0, then n = x 2 + y 2 + z 2 + w 2 + 13 2 . 

13. If k is odd, then 2 k is not the sum of four positive squares. Suppose k > 3, and 2 k — 
x 2 + y 2 + z 2 + u) 2 . Then either none, two, or four of the squares are odd. Modulo 8, we have 
0 = x 2 + y 2 + z 2 + w 2 , and because an odd square is congruent to 1 modulo 8, the only possibility 
istohavex, y, z, wall even. But then we can divide by 4 to get 2 k ~ 2 = (f) 2 + (|) 2 + (§) 2 + (fO 2 - 
Either k — 2 > 3 and we can repeat the argument, or k — 2 — 1, in which case we have two equal 
to the sum of four positive squares, a contradiction. 

15. If p = 2 the theorem is obvious. Else, p = 4k + 1, whence — 1 is a quadratic residue modulo 
p, say, a 2 = — 1 (mod p). Let x and y be as in Thue’s lemma. Then x 2 < p and y 2 < p and 
—x 2 = (ax) 2 = y 2 (mod p). Thus, p | x 2 + y 2 < 2p\ therefore, p = x 2 + y 2 as desired. 

17. The left sum runs over every pair of integers i < j, for 1 < i < j < 4, so there are six terms. Each 
integer subscript 1, 2, 3, and 4 appears in exactly three pairs, so 

£ [(x,+x/ + (x,.-x/]= £ (2x, 4 + 12 x 2 x 2 + 2xp 

l<i<j<4 l<i</<4 

=J2 6x t+ E l2x ? x l= 6 (T, x t) • 

*=1 l<i < j <4 \*=1 / 

19. If m is positive, then m — Ylt=l x k’ ^ or some ^’ s - Then 6m — 6 Ylt=l x k ~ ^1=1 ^ x k' term 
of the last sum is the sum of 12 fourth powers by Exercise 18. Therefore, 6m is the sum of 48 
fourth powers. 



71 0 Answers to Odd-Numbered Exercises 


21. For n — 1,2 50 ,n = Ei l 4 - For n = 51, 52 81, n - 48 = n - 3(2 4 ) = X? -48 l 4 , so 

n — 2 4 + 2 4 + 2 4 + X!" 48 l 4 * s the sum (” _ 45) fourth powers, and n — 45 < 36 < 50. This 
result, coupled with the result from Exercise 20, shows that all positive integers can be written as 
the sum of 50 or fewer fourth powers. That is, g{ 4) < 50. 

23. The only quartic residues modulo 16 are 0 and 1. Therefore, the sum of fewer than 15 fourth 
powers must have a least nonnegative residue between 0 and 14 (mod 16), which excludes any 
integer congruent to 1 5 (mod 1 6) . 

Section 13.4 

1. a. (±2, 0), (±1, ±1) b. none c. (±1, ±2) 

3. a. yes b. no c. yes d. yes e. yes f. no 

5. (73, 12), (10657, 1752), (1555849, 255780) 

7. (6239765965720528801, 798920165762330040) 

9. Reduce modulo p to get x 2 = — 1 (mod p). Because —1 is a quadratic nonresidue modulo p if 
p = 4k + 3, there is no solution. 

11. Let pi = 0, Pl = 3, p k = 2p k _ y + 2 k _ 2 , q 0 = 1, q x = 1, and q k = 2 q k _ x + q k _ 2 . Then the legs are 
x = p 2 + 2 p k q + k and y = 2 p k q k + 2 q 2 . 

13. Suppose there is a solution (x, y). Then x must be odd. Note that ( x 2 + l) 2 = x 4 + 2x 2 + 1 = 
2y 2 + 2x 2 and (x 2 - l) 2 = x 4 - 2x 2 + 1 = 2y 2 - 2x 2 . Multiplying these two equations together 
yields (x 4 - l) 2 = 4(y 4 - x 4 ), or because x 4 = 1 (mod 4), ((x 4 - l)/2) 2 = y 4 - x 4 . This 
contradicts Exercise 4 in Section 13.2. 

Section 13.5 

1. Let (x, y, z) be a primitive Pythagorean triple. Then there exist relatively prime integers m and n 
of opposite parity such that x — m 2 — n 2 , y — 2 mn and z — m 2 + n 2 . Then the area of the triangle 
is xy/2 = (m 2 — n z )2nm/2 = mn(m 2 — n 2 ) which is even because one of m and n must be even. 

3. 14,330,390,210 

5. a. 15 b. 21 c. 210 d. 5 

7. Let n be any positive integer and consider the Pythagorean triangle with sides 3n, An, and 5 n. The 
area of this triangle is (3/i) {An ) /2 = 6 n 2 . Therefore, 6n 2 is a congruent number for every positive 
integer/!. 

9. Consider the right triangle with legs of length y/2. The length of the hypotenuse is yj + V2 2 = 

2, so if we assume that y/2 is rational, this is a rational triangle. We compute its area to be 
(l/2)\/2\/2 = 1. This implies that 1 is a congruent number, which is false. Therefore, ypl must 
be irrational. 

11. Let n be a congruent number and suppose n = 2 k 2 where k is an integer. Assume n is a 
congruent number. Then Theorem 13.16 tells us that n must be the common difference of a 
progression of three squares. Specifically, there are integers r, s, and t such that t 2 — s 2 — n 
and s 2 — r 2 = n. Then t 2 = s 2 + n and r 2 = s 2 —n. Multiplying these last two equations 
yields ( rt ) 2 — s 4 — n 2 — s 4 — 4k 4 . Let z — rt,x — s, and y — k. Then the equation becomes 
x 4 — 4y 4 = z 2 . Suppose that the equation has solutions in the positive integers. By the well- 
ordering property, there is a solution (x, y, z) having the smallest value for x. Rewriting the 
equation as z 2 + (2y 2 ) 2 = (x 2 ) 2 shows that (z, 2y 2 , x 2 ) is a Pythagorean triple. Check that this 
triple must be primitive. Then there exist relatively prime integers u and v of opposite parity such 
that z — u 2 — v 2 , 2y 2 — 2uv, and x 2 = u 2 + v 2 . Then y 2 — uv and (w, u) = 1, so u — a 2 and 
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v — b 2 for some integers a and b. Then x 2 — a 4 + b 4 , which has no nonzero solutions according 
to Theorem 13.3. Therefore, n can not be congruent. 

13. a. Because 1 is not a congruent number, Theorem 13.16 says that it cannot be the common 
difference of an arithmetic progression of three squares, b. Because 8 = 2 2 2 and 2 is not a 
congruent number, we know that 8 is not a congruent number. By Theorem 13.16, 8 cannot be 
the common difference of an arithmetic progression of three squares, c. By Theorem 13.15, 
25 = 5 2 cannot be the area of a rational right triangle and therefore cannot be a congruent number. 
Then by Theorem 13.16, 25 cannot be the common difference of an arithmetic progression of 
three squares, d. If 48 = 4 2 3 were the common difference of an arithmetic progression of three 
squares, then it would be a congruent number by Theorem 13.16. By definition, it would be the 
area of a rational right triangle. But then we could divide the lengths of the sides of the triangle by 
4 and we would have a rational right triangle of area 3, which implies that 3 would be a congruent 
number, contrary to Exercise 12. 

15. r = 337/120 

17. (12,7/2,25/2) 

19. a. Let r be the common difference of the arithmetic progression. Then a 2 — b 2 — r and c 2 — b 2 + r. 
Then ( a/b ) 2 + ( c/b ) 2 = ( a 2 + c 2 )/b 2 = ((b 2 - r) + (b 2 + r))/b 2 = 2 b 2 /b 2 = 2. Therefore, 
(a/b, c/b ) is a rational point on x 2 + y 2 — 2. b. Because x 2 + y 2 = 2 = 1 + 1, we have 
y 2 — 1 = 1 - jc 2 . Multiply through by t 2 to get ( ty ) 2 — t 2 = t 2 — (tx) 2 , which shows that 
(tx) 2 , t 2 , (ty) 2 is an arithmetic progression. 

21. (x, y) = (112/9, 980/27) 

23. If there is a rational point on the elliptic curve y 2 — x 2 — 2 2 x, then by Theorem 13.18, 2 would 
be a congruent number, a contradiction. 

25. (11894/1443,26760/3367, 115658/10101) 

27. P 3 = (16689/2704, -1074861/140608) and the triangle is (76130/10101, 32112/3367, 
112768/10101) 

29. (1151/140) 2 , (1201/140) 2 , (1249/140) 2 and (4319999/2639802) 2 , (7776485/2639802) 2 , 

(101 13607/2639802) 2 

31. a. The solutions to 1 = 2 jc 2 + y 2 + 32z 2 are x = z = 0, y = ±1, so A x = 2. The solutions to 
1 = lx 2 + y 2 + 8z 2 are x — z — 0, y — ±1, so B x — 2. Because A x ^ B x /2, we conclude that 1 is 
not a congruent number by Tunnell’s theorem, b. The solutions to 10 = 8x 2 + 2y 2 + 64z 2 
are (±1, ±1, 0), so C xo = 4. The solutions to 10 = Sx 2 + 2y 2 + 16z 2 are (±1, ±1, 0), so 
D 10 = 4. Because C 10 ^ D 10 /2, we conclude that 10 is not a congruent number by Tunnell’s 
theorem, c. The solutions to 17 = 2x 2 + y 2 + 32z 2 are (±2, ±3, 0), so A 17 = 4. The solutions 
to 17 = 2 jc 2 + y 2 + 8z 2 are (±2, ±3, 0), (±2, ±1, ±1), and (0, ±3, ±1), so Bn = 16. Because 
A 17 ^ Bn/ 2, we conclude that 17 is not a congruent number by Tunnell’s theorem. 

33. The solutions to 41 = 2x 2 + y 2 + 32z 2 are (±4, ±3, 0), (±2, ±1, ±1), and (0, ±3, ±1), so 
A 41 = 16. The solutions to 41 = 2 jc 2 + y 2 + 8 z 2 are (±4, ±3, 0), (±4, ±1, ±1), (±2, ±5, ±1), 
(±2, ±1, ±2), and (0, ±3, ±2) so B 41 = 32. Because A 41 = B 4 i/2 we conclude that 41 is a 
congruent number by Tunnell’s theorem. 

35. For the case n = 5 or 7 (mod 8), we note that n is odd and reduce the left sides of the first two 
equations in Tunnell’s theorem modulo 8. Both expressions become 2x 2 + y 2 (mod 8). Because a 
square must be congruent to 0, 1, or 4 (mod 8), the right side of the congruence must be congruent 
to 0, 1, 2, 3, 4, or 6, and none of these are 5 or 7 (mod 8). Therefore A„ = 0 = BJ 2. By Tunnell’s 
theorem, n must be a congruent number. For the case n = 6 (mod 8), we note that n is even and 
reduce the last two equations in Tunnell’s theorem modulo 8. Both equations reduce to 6 = n = 2 y 2 
(mod 8). Because n is even, we may divide by 2 to get 3 = n/2 = y 2 (mod 4). Because 3 is not a 
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quadratic residue modulo 4, there are no solutions to either equation. Therefore, C„ = 0 = D n /2. 
By Tunnell’s theorem, n must be a congruent number. 

37. First suppose n > 2. Let r = 2n/(n - 2) and s = (n - 2)/4. Check that (2, r - \/r, r + \/r) 
and (2, s — 1/s, s + 1/s) satisfy the Pythagorean theorem, so these triples represent right 
triangles. Because n is an integer, we see that the sides of both triangles are have rational 
lengths. If we glue these triangles together along the side of length 2, then we have a triangle 
with sides (r + 1/2, s + 1/s, r — \/r + s — 1/s). Note that the common side of length 2 is now 
an altitude of the new triangle. Therefore, the area of the triangle is ( 1/2) 2(r — l/r + s — 1/s) = 
2n/(n - 2) - (n - 2)/2 n + (n - 2)/4 - 4/(n - 2) = (2n - 4)/(n - 2) + (n 2 - 4n + 4)/4n = 
2 + (n 2 - 4n + 4)/4n = (n 2 + 4n + 4)/4n = (n + 2) 2 /4n, which is rational, making this a Heron 
triangle. If we multiply all the sides by the rational number 2n/(n + 2), then the area will by 
multiplied by its square, yielding ((n + 2) 2 / 4n)(4n 2 / (n + 2) 2 ) = n for the final area. If n = 1 or 
2, then we perform the above construction to get a Heron triangle of area 4 or 8, respectively, and 
then divide all sides by 2, which will divide the area by 4, yielding a Heron triangle of area 1 or 
2, respectively. 

39. a. Suppose n is a /-congruent number. Then there exist rational numbers a, b, and c satisfying 
2 n = ab(2t)/(t 2 + 1) and c 2 = a 2 + b 2 — 2ab(t 2 — 1 )/(/ 2 + 1). Note that the first equation 
implies n/t = ab/(t 2 + 1). We seek to show that the point (c 2 /4, (ca 2 — cb 2 )/ 8) is a point 
on the curve. First note that x — n/t = c 2 /4 — n/t = (a 2 + b 2 — 2 ab(t 2 — 1 )/(/ 2 + l))/4 — 
ab/(t 2 + 1) = ( a 2 + b 2 - 2ab)/4 = (a - b) 2 / 4. Then note that x + nt = c 2 / 4 + nt = ( a 2 + 
b 2 - 2 ab(t 2 - 1 )/(t 2 + l))/4 + 2 abt 2 /(t 2 + 1) = ( a 2 + b 2 + 2ab)/4 = (a + b) 2 / 4. Then 
jc(x — n/t)( x + nt) = (c 2 /4)((a — b) 2 /4)((a + b) 2 )/ 4 = ((ca 2 — cb 2 )/ 8) 2 = y 2 , so this is a 
rational point on the curve. Note that y 0 unless a = b. If a = b, then the defining equations 
become 2 a 2 — 2 a 2 (t 2 — 1 )/(t 2 + 1) = c 2 , and n/t = a 2 /(t 2 + 1). Solve the first equation to get 
t 2 + 1 = (2 a/c) 2 and use this in the second equation to get n/t = ( c/a ) 2 , so both t 2 + 1 and 
n/t are rational squares. Conversely, suppose (x, y) is a rational point on the curve with y # 0. 
Substitute the values a = n|x(l + t 2 )/(yt) |, b=\(x — n/t)(x + nt)/y |, and c = |(jc 2 + n 2 )/y| 
into the defining equations to see that n is a /-congruent number. If n/t and t 2 + 1 are nonzero 
rational squares, then substitute c = 2 y/n/t and a = c = y/ n(t 2 + l)/t into the defining equations 
to see that n is a /-congruent number. b. For the given values, x(x — n/t)(x + nt) = 

— 6(— 6 - 12/(4/3))(— 6 + 12(4/3)) = -6(-6 - 9)(-6 + 16) = 6(15)(10) = 900 = 30 2 = y 2 . 
c. Part (b) shows that, for n = 12 and / = 4/3, the curve y 2 = x(jc — n/t)(x + nt) has a rational 
point, (—6, 30)withy 0. Therefore, 12 is a 4/3-congruent number. Then using the formulas from 

part (a), we have a = |((-6) 2 + 12 2 )/30| = 6, b = |(-6 - 12/(4/3))(-6 + 12(4/3))/30| = 5, 
and c= 12| — 6((4/3 + l/(4/3))/30| = 5. Check that the triangle with sides 6, 5, and 5 has 
area equal to 12. d. Given a positive integer n. Exercise 37 tells us there exists a Heron 
triangle (x, y, z) of area n. Then from Exercise 38, if the angle between x and y is 9, then 
sin 9 = 2t/(t 2 + 1) and cos9 = ( / 2 — l)/(/ 2 + 1) for some rational /. The law of cosines 

tells us that z 2 = x 2 + y 2 — 2xy cos 9 =x 2 + y 2 — 2xy(t 2 — 1 )/(/ 2 + 1). Because the area is 

n = xy sin(0)/2 = xy(2 t/(t 2 + 1), we see that n is a /-congruent number. 

Section 14.1 

1. a. 5 + 1 5/ b. 46 - 9 i c. -26 - 18/ 

3. a. yes b. yes c. no d. yes 

5. (4a — 3b) + (4b + 3a) i where a and b are rational integers (see the Student Solutions Manual for 
the display of such integers). 

7. Because a\fi and jS| y, there exist Gaussian integers and v such that fia = f) and v/J = y. 
Because the product of Gaussian integers is a Gaussian integer, Vfi is also a Gaussian integer. It 
follows that a\y. 
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9. Note that x 5 = x if and only if jc 5 - x = x(x - 1)(jc + 1)(jc - i)(x + i ) = 0. The solutions of 
this equation are 0, 1, — 1, i, and —i. These are the four Gaussian integers that are units, together 
with 0. 

11. Because a \P and P |a, there exist Gaussian integers p and v such that ap = P and Pv = a. Then 
a = apv. Taking norms of both sides yields N(a) = N(apv ) = N(a)N(pv ) by Theorem 14.1. 
So that N(p)N(v) = 1. Because p and v are Gaussian integers, their norms must be nonnegative 
rational integers. Therefore, N(p) = N(v) = 1, and so p and v are units, and hence, a and P are 
associates. 

13. The pair a = 1 + 2i, P = 2 + i is a counterexample. 

15. We show that such an associate exists. If a > 0 and b > 0, then the desired inequalities are met. 
If a < 0 and b > 0, then we multiply by —i to get —ia = b — ai = c + di which has c > 0 and 
d > 0. If a < 0 and b < 0, then we multiply by —1 to get —a = —a — hi = c + di, which has 
c > 0 and d > 0. If a > 0 and b < 0 then we multiply by i to get ia = —b + ai = c + di, which 
has c > 0 and d > 0. (We have covered the quadrants in the plane in counterclockwise order.) 
Having found the associate c + di in the first quadrant, we observe that it is unique, because if we 
multiply by any unit other than one, we get, respectively, —c — di, which has — c < 0, —d + ci, 
which has —d < 0, or d — ci, which has — c < 0. 

17. a. y = 3 — 5i, p = —3i,N(p) = 3 2 + 0 2 = 9 < N(/$) = 3 2 + 3 2 = 18 b.y = 5 - i,p = -1 - 2i, 
N(p ) = 5 < N(P) = 25 c. y = -1 + 8 i, p = -5 - 3i, N(p) = 5 2 + 3 2 = 34 < N(P) = 
ll 2 + 2 2 = 125 

19. a. y = 2 - 5i, p = 3 b.y =4 — i, p = 2 + 2i c.y = -l + li., p = -3 + 8 i 

21. 1,2, and 4 

23. If a and b are both even, then the Gaussian integer is divisible by 2. Because (1 + i)(l — i) = 2, 
then 1 + i is a divisor of 2, which is in turn a divisor of a + bi . If a and b are both odd, we may 
write a + bi = (1 + i) + (a — 1) + (b — l)i, and a — 1 and b — 1 are both even. Because both 
of theses Gaussian integers are multiples of 1 + i , so is their sum. If a is odd and b is even, then 
a — 1 + bi is a multiple of 1 + i and hence ( a + bi) — (a — 1 + bi) = 1 is a multiple of 1 + i if 
a + bi is, a contradiction. A similar argument shows that if a is even and b is odd, then 1 + i does 
not divide a + bi. 

25. ±l±2i 

27. Suppose 7 = (a + bi)(c + di) where a + bi and c + di are nonunit Gaussian integers. Taking 
norms of both sides yields 49 = (a 2 + b 2 )(c 2 + d 2 ). Because a + bi and c + di are not units, we 
have that the factors on the right are not equal to 1, so we must have a 2 + b 2 = 7, a contradiction, 
because 7 is not the sum of two squares. 

29. Because a in neither a unit nor a prime, it has factors a = Py with P and y nonunits, so 
that 1 < N(P) and 1 < N(y). Then N(a) = N(P)N(y). If N(P) > ^/Nfa), then N(y) = 
N(a)/N(P) < N(a)/y/N(a ) = */N(a). Consequently, either P or y divides a and has norm not 
exceeding *jN{a). 

31. The Gaussian primes with norm less than 100 are 3, 7, 1 + i, 2 + i, 4 + i, 6 + i, 3 + 2 i, 5 + 2 i, 
7 + 2i, 8 + 3i, 5 + 4i, 9 + 4i, 6 + 5* , and 8 + 5*, together with their conjugates and associates. 

33. a. Note that a - a = 0 = 0 • p,, so p |a - a. Thus, a = a (mod p). b. Because a = P (mod p), 
we have p\a — P, so there exists a Gaussian integer y such that py = a — p. But then 
p(— y) = P — a, so p\P — a. Therefore, P = a (mod p). c. Because a = P (mod p) and 
P = y (mod p), there exist Gaussian integers S and e such that pS = a — P and pe = P — y. 
Then a — y = a — P + P — y = p8 + pe = p(8 + e). Therefore a = y (mod p). 

35. Let a = ai + ib h P = a 2 + ib 2 , and p = (a l + bx)(a 2 + b 2 ). Then the real part of aP is given by 
the two multiplications R = a x a 2 — bib 2 , and the imaginary part is given by p — R, which requires 
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only one more multiplication. The second way in the hint goes as follows. Let mj = b 2 {a\ + b{), 
m 2 = a 2 (a\ — b\), and ra 3 = b\(a 2 ~ b 2 ). These are the three multiplications. Then the real part 
of ct[5 is given by m 2 + m 3 , and the imaginary part by + m 3 . 

37. a. i, 1 + i, 1 + 2 i, 2 + 3 i, 3 + 5 i, 5 + 8 i b. Using the definition of G k and the properties 
of the Fibonacci sequence, we have G k = f k + if k+1 = (/*_ i + /*_ 2 ) + (/* + /*_i)i = 
(/jfc-l + /*0 + (/jfc-2 + fk - lO — + G k _ 2 . 

39. We proceed by induction. For the basis step, note that G 2 G 3 — G 3 G 0 = (1 + 2i)(l + 0 - 
(2 + 3i)(0 = 2 + i, so the basis step holds. Now assume the identity holds for values less 
than n. We compute, using the identity in Exercise 37, G„ +2 G„ +1 — G„ +3 G„ = (G„ +1 + 
G„)G„ +1 - (G„ +2 + G„ +1 )G„ = G 2 n+l - G„ +2 G„ = G 2 n+l - (G„ +1 + G„)G„ = G 2 n+l — G 2 — 

G n+l G n - ( G n + 1 + G n)( G n+l “ G «) “ G n+l G n = G n+2 G n-l ~ G n+l G n = ~(-l)" _1 (2 + 

i ) = (— 1)"(2 + i). which completes the induction step. 

41. Because the coefficients of the polynomial are real, the other root is r — si, and over the complex 
numbers the polynomial must factor as (z — (r + si))(z — (r — si)) =z 2 — 2 rz + r 2 + s 2 . The 
z-coefficients, a — 2r and b — r 2 + s 2 , are integers. Then r = a/2 and s 2 = (4 b — a 2 )/ 4, which 
shows that s — c/2 for some integer c. Multiplying by 4, we have a 2 + c 2 = 0 (mod 4), which can 
be true only if both a and c are even; hence, r and s are integers and r + si is a Gaussian integer. 

43. Let /} = 1 + 2i so that N(fi) — 5. From the proof of the Division algorithm, we have for a 
Gaussian integer a that there exist Gaussian integers y and p such that a — yfi + p with 
N(p) < N(fi)/2 = 5/2. Therefore, the only possible remainders upon division by 1 + 2 i are 
0, 1, /, 1 + i and their associates. Furthermore, we can always replace a remainder of 1 + i with 
a remainder of -1 because a — fiy + (1 + i) — fi(y + 1) + (1 + i) - (1 + 2 i) — fi(y + 1) - i. 
So we may take the entire set of remainders to be 0, 1, —1, i and — i. Consider dividing each of 
the Gaussian primes n\, . . . , n A by /}. If any two left the same remainder p, then /? divides the 
difference between the two primes. But all these differences are either 2 or ±1 ± i, which are not 
divisible by /}. Further, since these are all prime, none of the remainders are 0. Therefore, the 
remainders are exactly the set 1, — 1, /, and — i. Now divide a + bi by /} and let the remainder 
be p. If p is not zero, then it is one of 1, —1, i, or — i. But then one of 7^, ... , jt 4 leaves the 
same remainder upon division by /?, say it k . Then divides n k — (a + bi) which is a unit, a 
contradiction. Therefore, p — 0. Therefore, 1 + 2 i divides a + bi. A similar argument shows that 
1 — 2 i also divides a + bi. Therefore, the product of these primes (1 — 2i)(\ + 2i) — 5 also divides 
a + bi, and hence each of the components. Now suppose that b = 0. Then a ± 1 are prime and by 
Exercise 23, a ± 1 are odd. Therefore, one of them, say a + 1, is a prime congruent to 1 modulo 
4. By Theorem 13.5, there exist integers x, and y such that a + 1 = x 2 + y 2 — (x + yi)(x — yi). 
Because a + 1 is prime, one of x ± yi is a unit, which implies that one of x or y is zero, which in 
turn implies that a + 1 is a square. So in any case, one of a ± 1 is not a Gaussian prime. Therefore, 
b ^ 0. Similarly, if we apply Exercise 26, we see that a ^ 0. 

45. Taking norms of the equation af)y = 1 shows that all three numbers must be units in the Gaussian 
integers, which restricts our choices to 1, — 1, i, and — i. Choosing three of these in the equation 
a + /} + y — 1, we have the possible solutions, up to permutation, (1, 1, — 1), (1, i, — i), but only 
the second solution works in the first equation, leaving (1, i, —i) as the only solution. 

Section 14.2 

1. Certainly 11^ and 1 |jt 2 . Suppose 51^ and S|j r 2 . Because jtj and n 2 are Gaussian primes, S must 
be either a unit or an associate of the primes. But because jrj and jt 2 are not associates, then they 
can not have an associate in common, so 5 is a unit and so <5| l. Therefore, 1 satisfies the definition 
of a greatest common divisor for jtj and it 2 . 
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3. Because y is a greatest common divisor of a and jS, we have y \ a and y\fi, so there exist Gaussian 
integers p and v such that puy — a and vy — /$. So that Tty - — JZ-y — a and Try = v- y=/3,so 
that y is a common divisor of a and fi. Further, if S \a and S |/J, then S |a and SjjS, and so S | y by the 
definition of greatest common divisor. But then <5|7 and S = S, which shows that 7 is a greatest 
common divisor for a and fi. 

5. Let ey, where e is aunit, be an associate of y . Because y\a, there is a Gaussian integer p such 
that i uy = a. Because e is a unit, 1/e is also a Gaussian integer. Then (l/e)p(ey) = a, so ey\a. 
Similarly, e y \ fi . If S | a and S\jB, then S | y by definition of greatest common divisor, so there exists 
a Gaussian integer v such that vS — y. Then evS — ey, and because ev is a Gaussian integer, we 
have <5|ey, so ey satisfies the definition of a greatest common divisor. 

7. Take (3 — 2 /) and (3 + 2 i), for example. 

9. Because a and b are relatively prime rational integers, there exist rational integers m and n such 
that am + bn — 1. Let S be a greatest common divisor of the Gaussian integers a and b. Then 
S divides am + bn = 1. Therefore, S is a unit in the Gaussian integers and hence a and b are 
relatively prime Gaussian integers. 

11. a. We have 44 + 18/ = (12 - 16/)(1 + 2 /) + 10/; 12 - 16/ = (10/)(— 2 - /) + (2 + 4/); 

10/ = (2 + 4/)(2 + /) + 0. The last nonzero remainder, 2 + 4/, is a greatest common divisor, 
b. By part (a), 2 + 4/ = (12 - 16/) - (10/)(— 2 - /) = (12 - 16/) - ((44 + 18/) - (12 - 
16/)(1 + 2/))(— 2 - /) = (2 + /)(44 + 18/) + (1 + (1 + 2/)(— 2 - /))(12 - 16/) = (2 + /)(44 + 
18/) + (1 - 5/)(12 - 16/). Take p = 2 + / and v = 1 - 5/. 

13. We proceed by induction. We have G 0 = / and G 1 — l + i. Because G 0 is a unit, these are relatively 
prime and this completes the basis step. Assume we know that G k and G*_j are relatively prime. 
Suppose S\G k and 5|G^ + i. Then 5 1 (G^_j_j — G k ) — (G k + G^_j — G k ) — G k _\, so 8 is acommon 
divisor of G k and G k _ h which are relatively prime. Hence, 1 is a greatest common divisor of 

G*+ 1 and G k- 

15. Let k be the smallest rational integer such that N (a) < 2 k . Dividing ^ = p 0 by a = pi in the first 
step of the Euclidean algorithm gives us /} = y 2 a + p 2 with N(p 2 ) < N(a) < 2 k ~ ] . The next step 
of the Euclidean algorithm gives us a = y 2 p 2 + p 3 with IV (p 3 ) < N(p 2 ) < 2 k ~ 2 . Continuing with 
the algorithm shows us that N(p k ) < 2 k ~ ( - k ~ v> — 2, so that the Euclidean algorithm must terminate 
in no more than k = [log 2 N(a)] + 1 steps. And thus we have k = 0(log 2 (N(a)). 

17. a. (— 1)(1 - 2/)(l - 4/) b. 3 - 13/ = (— 1)(1 + /)(5 + 8/) c. (— 1)(1 + /) 4 (7) 
d. /(I + /) 8 (1 + 2/) 2 (l - 2/) 2 

19. a. 48 b. 120 c. 1792 d. 2592 

21. Assume n and a + bi are relatively prime. Then there exist Gaussian integers p, and v such that 
pm + v(a + bi) = 1. If we take conjugates of both sides and recall that the conjugate of arational 
integer is itself, we have fin + v(a — bi) = 1, so n is also relatively prime to a — bi. Because 
a — bi is an associate of b + ai (multiply by /), we have the result. The converse is true by 
symmetry. 

23. Suppose that it 2 , . . . , n k are all of the Gaussian primes and form the Gaussian integer 
Q = ti\tt 2 • • • 7t k + 1. From Theorem 14.10, we know that Q has a unique factorization into 
Gaussian primes, and hence is divisible by some Gaussian prime p. Then p | Q and p|^iJr 2 • • -n k , 
so p divides their difference, which is 1, a contradiction, unless p is a prime different from 
7t h ji 2 , , 7 r k , proving that we did not have all the Gaussian primes. 


25. -2/ 
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27. Because a and fi are relatively prime, there exist Gaussian integers a and t such that a a + t/x — 1. 
If we multiply through by ft, we get ficra + fixfi = ft, so that we know a(fcr) = /3 (mod fi) and 
thus x = /?er (mod ji) is the solution. 

29. a. x = 5 - 4 i (mod 13) b. x = 1 — 2i (mod 4 + i) c. x = 3i (mod 2 + 3i) 

31. Chinese Remainder Theorem for Gaussian Integers. Let ji\, /r 2 , . . . , fi r be pairwise relatively 
prime Gaussian integers, and let oq, a 2 , ... ,a r be Gaussian integers. Then the system of 
congruences x = (mod /q), i — 1, . . . , r has a unique solution modulo M — /xi/x 2 • • • fi r . 
Proof: To construct a solution, for each k = 1, . . . , r, let M k — M/fi k . Then M k and fi k 
are relatively prime, because fi k is relatively prime to all of the factors of M k . Then from 
Exercise 24, we know M k has an inverse k k modulo fi k , so that M k k k = 1 (mod ii k ). Now let 
x = ctiMiki H h a r M r k r . We will show x is the solution to the system. 

Because ii k \ Mj whenever j k, we have a jMjk k = 0 (mod ji k ) whenever j k. Therefore, 
x = a k M k k k (mod fi k ) Also, because k k is an inverse for M k modulo /x k , we have x =a k (mod n k ) 
for every k, as desired. 

Now suppose there is another solution y to the system. Then x =a k = y (mod ji k ), and so 
jJL k \(x — y) for every k. Because the ji k are pairwise relatively prime, no Gaussian prime appears 
in more than one of their prime factorizations. Therefore, if a Gaussian prime power n e \(x — y ), 
then it divides exactly one of the ii k s. Therefore, the product M of the fi k s also divides x — y, 
and so x = y (mod M), showing that x is unique modulo M. 

33. x = 9 + 23i (mod 26 + li) 

35. a. {0, 1} b. {0, 1, i, 1 + i} c. {0, 1, 2, 2 i, -1 - i, -i, 1 - i, -1 + i, i, 1 + i, -2 i, -2, -1} 

37. Leta = a + bi andd = gcd(a, b). We assert that the set S = [p + qi\0 < p < N(a)/d, 0 < q < d} 
is a complete residue system. Note that this represents a rectangle of lattice points in the plane. 
We create two multiples of a. First, N(a)/d — a(a/d) is a real number and a multiple of a. 
Second, there exist rational integers r and s such that ra+sb — d. So we have the multiple of a 
given by v — (s + ir)a — (s + ir) (a + bi) — (as — br) + di. Now it is clear that any Gaussian 
integer is congruent modulo a to an integer in the rectangle S, because first we can add or subtract 
multiples of v until the imaginary part is between 0 and d —l and then add and subtract multiples 
of N(a)/d until the real part is between 0 and N(a)/d — 1. It remains to show the elements of S 
are incongruent to each other modulo a. Suppose ft and y are in S and congruent to each other 
modulo a. Then the imaginary part of ft — y must be divisible by d, but because these must he 
in the interval from 0 to d — 1, they must be equal. Therefore, the difference between ft and y is 
real and divisibly by a, hence by a and hence by oia/d — N (a) /d, which proves they are equal. 
Because S has N (a) elements, we are done. 

39. a. {/, -i, 1, -1} b. {/, -i, 1, 1 + 2i, 2 + i, 2 - i, -1, -1 + 2i } c. {i, 2 - i, -2 + i, -i, 1, 1 + 
2 /, -1-2/, -1} 

41. By the properties of the norm function and Exercise 37, we know that there are N(n e ) = N(n) e 
residue classes modulo n e . Let n — r + si, and d = gcd(r, s). Also, by Exercise 37, a complete 
residue system modulo jr e is given by the rectangle S — [p + q i |0 < p < N(n e ) /d,0<q< d}, 
while a complete residue system modulo jt is given by the rectangle T = (p + qi\0 < p < 
N(n)/d, 0 < q < d}. Note that in T there is exactly one element not relatively prime to jt, and 
that there are A(n-) e_1 copies of T, congruent modulo jt, inside of S. Therefore, there are exactly 
N(n) e ~ l elements in S not relatively prime to jt. Thus, there are N(jt) € — N(jr) e ~ l elements in 
a reduced residue system modulo jr e . 

43. a. First note that because r + s^/— 5 is a root of a monic polynomial with integer coefficient, the 
other root must be r — Sy/^-5 and the polynomial is (x — (r + s-/— 5))(x — (r — s*/^5)) — 
x 2 — 2 rx + (r 2 + 5s 2 ) — x 2 — ax + b, where a and b are rational integers. Then r — a/2 
and 5s 2 = (4b — a 2 )/ 4, so that s = c/2 for some integer c. (Note that 5 cannot appear in 
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the denominator of s, or else when we square it, the single factor of 5 in the expression 
leaves a remaining factor in the denominator, which does not appear on the right side of 
the equation.) Substituting these expressions for r and s, we have (a/2) 2 + 5(c/2) 2 = b 2 , 
or upon multiplication by 4, a 2 + 5c 2 = 4 b 2 = 0 (mod 4), which has solutions only when 
a and c are even. Therefore, r and s are rational integers, b. Let a — a + b*f ^ 5 and 
P = c + d^T- 5. Then a + ft = (a + c) + (b + d)*f ^ 5 and a — P = (a — c) + (b — rf)>/— 5, 
and a ft = ( ac — 5 bd) + (ad + bc)*f^ 5. Because the rational integers are closed under addition, 
subtraction, and multiplication, all of the results are again of the form p + qV~~5 with p 
and q rational integers, c. yes, no d. Let a — a + b-J ^ 5 and ft — c + d-J^ 5. Then 
N (a)N(P) — ( a 2 + 5b 2 ) (c 2 + 5 d 2 ) — a 2 c 2 + 5 a 2 d 2 + 5 b 2 c 2 + 25b 2 d 2 . On the other hand, a.p — 
(ac - 5 bd) + (ad + bc)V=5 and N((ac - 5 bd) + (ad + bc)J=5) = (ac - 5 bd) 2 + 5 (ad + 
be) 2 — a 2 c 2 — lOacbd + 25 b 2 d 2 + 5 (a 2 d 2 + 2 adbc + b 2 c 2 ) — a 2 c 2 + 5 a 2 d 2 + 5 b 2 c 2 + 25 b 2 d 2 , 
which is equal to the expression above, proving the assertion, e. If e is a unit in Z[V^5], then 
there exists an q such that eq = 1. From part (d), we have N(eq) = N(e)N(q) = N(Y) = 1, so 
N(e) — 1. Suppose e — a + b-J^- 5, then N(<e) —a 2 + 5b 2 — 1, which shows that b — 0, and hence 
a 2 = 1, so that we know a = ± 1. Therefore, the only units are 1 and — 1. f. If an integer a in 
Z|V— 5] is not a unit and not prime, then it must have two non-unit divisors p and y such that 
N (P)N (y) = N(a). To see that 2 is prime, note that a divisor p = a + byf^ 5 has norm a 2 + 5b 2 , 
while N (2) = 4, which forces b — 0. If p is not a unit, then a — ±2, but then this forces y to be 
a unit; hence 2 is prime. To see that 3 is prime, we seek divisors of N( 3) = 9 among a 2 + 5b 2 . 
We see that b can be only 0 or ±1, or else the norm is too large. And if b — ±1, then the only 
possible divisor is 9 itself, forcing the other divisor to be a unit. If b — 0, then a — ±3, and hence 
3 is prime. To see that 1 ± V— 5 is prime, note that its norm is 6. A divisor a + bi can have 
b take on the values 0 and ±1, else the norm is too large. If b — 0, then a 2 |6 a contradiction, 
so b = ±1. But then (a 2 + 5)|6, forcing a = ±1. But N(± 1 ± -s/^5) = 6, so the other divisor 
is a unit, and so 1 ± V5 is also prime. Note then that 2-3 = 6 and (1 — V^5)(l + */^5) — 6, 
so that we do not have unique factorization into primes in Z[>/-5]. g. Suppose y and p 
exist. Note first that (7 - 2*f=5)l(\ + 7^5) = -1/2- 3/2^3, so p ^ 0. Let y = a + bj^5 
and p = c + dV~5- Then from 7 - 2V-5 = (1 + V-5)(a + byf^5) + (c + dyf^5) — (a — 
5b + c) + (a + b + <7)V-5, we get 7 = a - 5b + c and -2 = a + b + d. If we subtract the 
second equation from the first, we have 9 — —6b + c — d or c — d — 6b + 9. Therefore, 

3|c - d, and because p ^ 0, c — d ^ 0, so \c — d\ > 3. We consider N(p) = c 2 + 5 d 2 . If 
d — 0, then N(p) > c 2 > 3 2 > 6. If d — ±1, then |c| > 2 and N(p) —c 2 + 5 d 2 > 4 + 5 > 6. 

If \d\ > 2, then N(p) > 5 d 2 > 5 • 2 2 = 20 > 6, so in every case the norm of p is greater 
than 6. So no such y and p exist, and there is no analog for the division algorithm in 
Z[V— 5]. h. Suppose p. — a + £>>/— 5 and v — c + <7^—5 is a solution to the equation. Then 
3(a + byf^ 5) + (1 + v^5)(c + d^ 5) = (3a + c — 5d) + (3b + c + d)*/^5 = 1. So we must 
have 3a + c — 5d — l and 3b + c + d — 0. If we subtract the second equation from the first, we 
get 3a — 3b — 6d = 1, which implies that 3| 1, an absurdity. Therefore, no such solution exists. 


Section 14.3 

1. a. 8 b. 8 c. 0 d. 16 

3. We first check that a greatest common divisor S of a and p divides y, otherwise no solution 
exists. If a solution exists, we use the Euclidean algorithm and back substitution to express 8 as 
a linear combination of a and P: ap + Pv = 8. Because 8 divides y, there is a Gaussian integer 
q such that 8q — y. If we multiply the last equation by q, we have apq + Pvq — 8q — y, so we 
may take x 0 — pq and y 0 — vq as a solution. The set of all solutions is given by x — x 0 + Px/8, 
y = y 0 — ar/8, where r ranges over the Gaussian integers. 
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5. a. no solutions b. no solutions 

7. Let a — a + bi. Then N(a) — a 2 + b 2 = p, and by Theorem 14.5, we know that a and a are 
Gaussian primes. Similarly, if y —c + di, then y and y are Gaussian primes. By Theorem 14.10, 
a must be an associate of y or y. So a must equal one of the following: ±c ± di, ±d ± ci, and 
in any of these cases we must have a = ±c and b = ±d or a = ±d and b — ±c. Squaring these 
equations gives the result. 

9. Suppose x, y , z is a primitive Pythagorean triple with y even, so that x and z are necessarily odd. 
Then z 2 = x 2 + y 2 = (x + iy)(x — iy ) in the Gaussian integers. If a rational prime p divides 
x + iy, then it must divide both x and y, which contradicts the fact that the triple is primitive. 
Therefore, the only Gaussian primes that divide x + iy are of the form m + in with n ^ 0. 
Also, if 1 + i \x + iy, then we have the conjugate relationship 1 — i \x — iy, which implies that 
2 = (1 — i)(l + 1 ) divides z 2 , which is odd, a contradiction. Therefore, we conclude that 1 + i does 
not divide x + iy, and hence neither does 2. Suppose S is a common divisor of x + iy and x — iy. 
Then S divides the sum 2x and the difference 2 iy. Because we know that 2 is not a common factor, 
S must divide both x and y, which we know are relatively prime. Hence, S is a unit and x + iy 
and x — iy are also relatively prime. Then we know that every prime that divides x + iy is of the 
form it —u + iv, and so W—u—iv divides x — iy. Because their product equals a square, each 
factor is a square. Thus, x + iy — (m + in) 2 and x — iy — (m — in) 2 for some Gaussian integer 
m + in and its conjugate. But then x + iy — m 2 — n 2 + Imni, so x = m 2 — n 2 and y = 2 mn . And 
z 2 — (m + ni) 2 (m — ni) 2 — (m 2 + n 2 ) 2 , so z — m 2 + n 2 . Further, if m and n were both odd or 
both even, we would have z even, a contradiction, so we may conclude that m and n have opposite 
parity. Finally, having found m and n that work, if m < n, then we can multiply by i and reverse 
their roles to get m > n. The converse is exactly as in Section 13.1. 

11. By Lemma 14.3, there is a unique rational prime p such that it\p. Let a — a + bi and consider 3 
cases. 

Case 1: If p = 2, then it is an associate of 1 + i and N(it) — 1 = 1. Since there are only 
two congruence classes modulo 1 + i and since a and 1 + i are relatively prime, we have 
a Af(jr)-i — a = l (mod 1 + i). 

Case 2: If p = 3 (mod 4), then it and p are associates and N(it) — 1 = p 2 — 1. Also (—i) p = 
—i. By the binomial theorem, we have a p — (a + bi) p = a p + (bi) p = —ib p = a — bi = a 
(mod p), using Fermat’s little theorem. Similarly, a p = a (mod p), so that a p =a p = a (mod p), 
and since p — it and a and it are relatively prime, we have = 1 (mod p). 

Case 3: If p = 1 (mod 4), then it it = p, i p = i, and N(it) — 1 = p — 1. By the Binomial 
theorem, we have a p — (a + bi) p = a p + ( bi) p = a + bi = a (mod p), using Fermat’s little 
theorem. Cancelling an a gives us a p_1 = 1 (mod p), and because it\p, we have = 1 

(mod it), which concludes the proof. 

13. Let it be a Gaussian prime. If a 2 = 1 (mod it), then 7T |a 2 — 1 — (a — l)(a + 1), so that either 
a = 1 or a = — 1 (mod it). Therefore, only 1 and —1 can be their own inverses modulo it. 
Now let c*! = 1, <* 2 , ■ • ■ , a r _i, a r — — 1 be a reduced residue system modulo it. For each a k , 
k = 2, 3, . . . , r — 1, there is a multiplicative inverse modulo it a' k such that a k a' k = 1 (mod tt). If 
we group all such pairs in the reduced residue system together, then the product is easy to evaluate: 
a x a 2 ■ ■ ■ a r — \{a 2 a.' 2 ){aT l a^) ■ ■ ■ (a l ._ 1 )(af'_ 1 )(— 1) = —1 (mod it), which proves the theorem. 

Appendix A 

1. a. a(b + c) = (b + c)a = ba+ca = ab + ac b. (a + b) 2 = (a + b)(a + b) = a(a + b) + 
b{a + b)—a 2 + ab + ba + b 2 — a 2 + lab + b 2 c .a + (b + c)—a + (c + b) — (a+c) + b — 
(c + a) + b &.(b — a) + (c — b) + (a — c) = (-a + b) + {-b + c) + (— c + a) = —a + (b — 
b) + (c-c) + a 



Answers to Odd-Numbered Exercises 719 


3. By the definition of the inverse of an element, 0 + (—0) = 0. But because 0 is an identity element, 
we have 0 + (—0) — —0. It follows that —0 — 0. 

5. Let * be a positive integer. Because x — x — 0 is positive, x > 0. Now let x > 0. Then x — 0 = x 
is positive. 

7. We have a — c = a + (— b + b) — c = (a — b) + (b — c), which is positive from our hypothesis 
and the closure of the positive integers. 

9. Suppose that there are positive integers less than 1 . By the well-ordering property, there is a 
least such integer, say, a. Because a < 1 and a > 0, Example A.2 shows that a 2 = aa < 1 a = a. 
Because a 2 > 0, it follows that a 2 is a positive integer less than a, which is a contradiction. 

Appendix B 

1. a. We have (“j 0 ) = 100!/(0!100!) = 1. b. We have ( 5 °) = 50!/(l!49!) = 50. c. We have ( 2 3 °) = 
20 !/ (3!17!) = 1 140. d. We have (“) = ll!/(5!6!) = 462. e. We have (“’J = 10!/(7!3!) = 120. 
f. We have (™) = 70!/(70!0!) = 1. 

3. a. a 5 + 5 a 4 b + 10a 3 b 2 + 10 a 2 b 3 + 5 ab 4 + b 5 h. * 10 + 10* 9 y + 45* 8 y 2 + 120* 7 y 3 + 
210* 6 y 4 + 252* s y 5 + 210* 4 y 6 + 120* 3 y 7 + 45* 2 y 8 + 10*y 9 + y 10 c. m 7 - lm 6 n + 
21m 5 n 2 - 35m 4 n 3 + 35mV - 21mV + Imn 6 - n 7 d. 16a 4 + 96 a 3 b + 216a 2 fc 2 + 216 ab 3 + 
81ft 4 e. 243x 5 - 1620x 4 y + 4320x 3 y 2 - 5760x 2 y 3 + 3840xy 4 - 1024y 5 f. 390625 jc 8 + 
4375000* 7 + 2 1437500* 6 + 60025000* 5 + 105043750* 4 + 117649000* 3 + 82354300* 2 + 
32941720* + 5764801 

5. On the one hand, (1 + (—1))" = 0" = 0. On the other hand, by the binomial theorem, 

£Lo<-i>‘© = «+ <-!»”■ 

1. (")Q = n!/(r!(« — r) !) • r\/(k’(r - k)\) = n'in - k)]/(k\(n - k)Vn - r)i(n - k - n + r)\) = 

©O 

9. We fix r and proceed by induction on n. It is easy to check the cases when n = r and n = r + 1. 
Suppose the identity holds for all values from r ton - 1. Then consider the sum (^) + ( r + 1 ) + • • • + 

(”) = d!) + (o + (r— i)) + (d 1 ) + C-D) + ■ • • + (r; 1 ) + (":!))> where we have used 

Q = d}) and Pascal’s identity. Regrouping this sum gives us (di) + C-J ^ f (”-i)) + 

(C) + d’) + • • • + d 1 )) • fi y our induction hypothesis, these two sums are equal to 
( r " i) + (-j) = dJ), which concludes the induction step. 

11. Using Exercise 10, (^) + J = *!/(«!(* — n)!) +*!/((« + 1) !(* — n — 1)!) = (*!(n + 

!))/((« + 1)K^ -«)!) + - «))/((« + 1) K* - n) !) = (*!(*- n + n + 1 ))/((« + 1)!(* - 

«)!) = (* + l)!/((n + l)\(x — «)!) = (d!)- 

13. Let S be a set of n copies of * + y . Consider the coefficient of x k y n ~ k in the expansion of (* + y)". 
Choosing the * from each element of a ^-element subset of S, we notice that the coefficient of 
x kyti-k ^ num ber of k -element subsets of S, (”). 

15. By counting elements with exactly 0, 1,2, and 3 properties, we see that only elements with 0 
properties are counted in n - [ n(P j) + n(P 2 ) + n(P 3 )] + [n(P h P 2 ) + n(P h P 3 ) + n(P 2 , P 3 )] - 
[n(P h P 2 , P 3 )], and those only once. 

17. A term of the sum is of the form a** 1 ** 2 ‘ ' ' x m m where k^ + k 2 + ■ ■ ■ + k m = n and a = ^ i- 
19. 56133000000 
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as least positive linear combination, 
94-97, 107-109 
of more than two integers, 98 
of two integers, 39 
using to break Vigenere ciphers, 302 
Greatest integer function, 7 
Greeks, ancient, 19, 69, 70, 256 
Green, Ben, 87 
Green-Tao theorem, 87 
Gregorian calendar, 197-198 
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Hadamard, Jacques, 79, 80 
Hajratwala, Nayan, 263 
Hanoi, tower of, 28 
Hardy, G. H., 2, 78, 92, 254, 278 
Harmonic series, 27 
Haros, C„ 101 
Hashing, 204-206 
double, 205-206 
function, 204 
quadratic, 429 
Hashing function, 202 
Hastad broadcast attack, 328, 330 
Heilman, M. E., 318, 324, 333 
Hensel, Kurt, 173 
Hensel’s lemma, 173 
Heptadecagon, 146 
Heptagonal number, 21 
Heron triangle, 574 
Hex, 48, 49 

Hexadecimal notation, 48, 49 
Hexagonal number, 21 
Highly composite, 253 
Hilbert, David, 122, 478 
Hilbert prime, 121 
Hill, Lester S., 305, 306 
Hill cipher, 305-309 
Home team, 203 
House of Wisdom, 57 
Horses, same color, 28 
Hundred fowls problem, 143 
Hurwitz, Alexander, 262 
Hyperinflation, 534 
Hypothesis, Riemann, 83 

IBM 360 computer, 262 
IBM 7090 computer, 262 
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Bezout, 95-96 
Rogers-Ramanujan, 287 
Identity elements, 605 
ILLIAC, 262 

Inclusion-exclusion, principle of, 77, 
613-614 
Incongruent, 145 
Index arithmetic, 368-371 
Index of coincidence, 303 
Index of an integer, 368, 636-639 
Index of summation, 16 
Index system, 377 


Indices, 368, 636-639 
Induction, mathematical, 23-27 
Induction, strong, 25 
Inductive step, 23 
Inequality, Bonse’s, 91 
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Infinite descent, 531, 535 
Infinite simple continued fraction, 491 
Infinitude of primes, 70-71, 76, 101, 102, 
124, 125, 133-134 

Initial term of a geometric progression, 10 
Integer, 6 
abundant, 267 
composite, 70 
deficient, 267 
Eisenstein, 597 
Gaussian, 579 
^-abundant, 267 
& -perfect, 267 
order of, 347-348 
palindromic, 195 
powerful, 120 
rational, 579 
sequences, 11 
square-free, 120 
superperfect, 268 
Integers, 6 
Gaussian, 579 
most wanted, ten, 133 
Intel, 86, 89, 266 
International fixed calendar, 201 
International Mathematical Olympics, 87, 
325 

International Standard Book Number, 210 
International Standard Serial Number, 

215 

Internet, 239, 261, 624 
Interpolation, Lagrange, 359 
Inverse, additive, 605 
Inverse of an arithmetic function, 247 
Inverse of a matrix modulo m, 178 
Inverse modulo m, 182 
Inversion, Mobius, 272-274 
Involutory matrix, 185 
Irrational number, 6, 118-1 19 
quadratic, 503-506, 579 
Irrationality of yfl, 6-7, 119 
ISBN, 210 
ISBN-10,210, 211 
ISBN-13, 210, 212 
Iterated knapsack cipher, 336 
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Jacobi symbol, 443 
reciprocity law for, 446-447 
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fc -perfect number, 267 
Kaprekar, D. R., 53 
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Kasiski, F., 302 
Kasiski test, 302 
Kayal, N., 75 
Key, 292 

agreement protocol, 338 
common, 338-339 
decryption, 292 
encryption, 292 
exchange, 338-339 
for hashing, 204 
master, 342 
public, 322 
Keyspace, 292 
Key stream, 310 
Knapsack ciphers, 331-336 
weakness in, 335 
Knapsack problem, 334 
multiplicative, 336-337 
Knuth, Donald, 62, 63 
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Kronecker, Leopold, 174, 434, 451, 
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kth power residue, 372 
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506-507, 531, 542, 546, 549, 555 
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on continued functions, 506-507 
on polynomial congruences, 355 
Lame, Gabriel, 105, 106, 531 
Lame’s theorem, 105-106 
Landau, Edmund, 62, 89-90 
Largest known primes, 73-74 
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Law, 

associative, 605 
cancellation, 605 
commutative, 605 
distributive, 605 
trichotomy, 606 

Law of quadratic reciprocity, 418, 430-438 

Leap year, 197 

Least common multiple, 

finding using prime factorizations, 116 
of more than two integers, 123 
of two integers, 116 
Least nonnegative residue, 147 
Least nonnegative residues, 148 
Least positive residue, 147 
Least primitive root for a prime, 358 
Least-remainder algorithm. 111 
Leblanc, M. (pseudonym of Sophie 
Germain), 531 

Legendre, Adrien-Marie, 79, 417, 418, 531 

Legendre conjecture, 89-90 

Legendre symbol, 417 

Lehmer, Derrick, 249, 259, 518 

Lehmer, Emma, 262 
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Gauss’s, 420 
Hensel’s, 173 
Thue’s, 551 

Lemmermeyer, Franz, 431 
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Lenstra, H., 75 

Letters, frequencies of, 295-296 
Lifting solutions, 173 
Linear combination, 94 
greatest common divisor as a, 94-97, 
107-109,110 
Linear congruence, 157 
Linear congruences, systems of, 162, 178 
Linear congruential method, 395-396 
Linear diophantine equation, 137 
in more than two variables, 140 
nonnegative solutions, 142 
Linear homogeneous recurrence relation, 33 
Liouville, Joseph, 247, 248, 476 
Liouville’s function, 247 
Little theorem, Fermat’s, 219 
Littlewood, J. E„ 78, 84, 92, 254 
Lobsters, 142, 169 
Logarithm, discrete, 368 
Logarithmic integral, 79 
Logarithms modulo p, 368 
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Lucas numbers, 34 
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Mangoldt function, 276 
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Maple, 615-619 
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Master key, 342, 359 
Master Sun, 162 
Mathematica, 619-623 
Mathematical induction, 23-26 
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second principle, 25 
Mathematics, Prince of, 146 
Matrices, congruent, 180-181 
Matrix, involutory, 185 
Matrix multiplication, 67 
Maurolico, Francesco, 24 
Maximal ± 1-exponent, 408 
Mayans, 45 
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arithmetic, 29 
geometric, 29 
Merkle, R. C„ 333 
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Mersenne numbers, 258, 428 
double, 268 

Mersenne primes, 73-74, 258-266, 382, 396, 
428, 624 

search for, 261-265, 624 
Mertens, Franz, 274 
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Mertens function, 274, 276 
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Kasiski’s, 302 
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Middle-square method, 394 
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Mills formula, 74 
Minimal universal exponent, 386 
Minims, order of the, 258 
Minimum-disclosure proof, 461^162 
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Mobius, A. F., 271 
Mobius function, 270-271 
Mobius inversion, 272-274 
Mobius strip, 271 
Modified division division, 41 
Modular arithmetic, 148 
Modular exponentiation algorithm, 151-152 
complexity of, 152-153 
Modular inverses, 159 
Modular square roots, 423-424 
Modulus, 145 
Monkeys, 156, 168 
Monks, 28 

Monographic cipher, 292 
Monte Carlo method, 15, 187 
Morrison, M. A., 518 
Most wanted integers, 133 
Mr. Fix-It, 87 

Multinomial coefficient, 614 
Multiple, 36 

least common, 116 
Multiple precision, 55 
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algorithm for, 57 
complexity of, 64-65 
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Multiplicative function, 239, 240 
Multiplicative knapsack problem, 336-337 
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Mysteries of the universe, 301 
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Norm, 121 

of complex number, 578 
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binary coded decimal, 5 1 
decimal, 48 
duodecimal, 60 
hexadecimal, 48 
octal, 48 

one’s complement, 51 
product, 19-20 
summation, 16-19 
two’s complement, 51 
NOVA, 534, 625 
NOVA Online — The Proof, 625 
Number, 

abundant, 267 
algebraic, 7 

Carmichael, 227, 228, 388-389 

composite, 70 

congruent, 560 

Cullen, 234 

deficient, 267 

double Mersenne, 268 

even, 39 

everything is, 522 

Fermat, 131-133, 353, 414, 428 

Fibonacci, 30 

generalized Fibonacci, 35 

heptagonal, 21 

hexagonal, 21 

irrational, 6 

^-abundant, 267 

^-perfect, 267 

Lucas, 34 

lucky, 77 

Mersenne, 258 

most wanted, 133 

odd, 39 

odd perfect, 266 
pentagonal, 21 
perfect, 256 

pseudorandom, 393-398 
random, 15, 393 
rational, 6 
Sierpinski, 384 
superperfect, 268 
t -congruent, 574 
tetrahedral, 21 

transcendental, 7, 452, 476-478 
triangular, 19, 20 
Ulam, 15 
Numbers, 
lucky, 77 


p-adic, 173 

pseudorandom, 393-398 
random, 393 
ten most wanted, 133 
Number of divisors function, 250, 634 
multiplicativity of, 251 
Number system, positional, 45 
Number theory, definition of, 1 
combinatorial, 277 
elementary, definition of, 3 
Number Theory Web, 625 
Numerals, Hindu-Arabic, 56 
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Odd number, 39 

Odd perfect number, 266, 268 

Odlyzko, Andrew, 84 

Oliveira e Silva, Tomas, 84 

One-time pad, 311 

One-to-one correspondence, 1 1 

One’s complement representation, 51 

Ono, Kenneth, 287 

Operation, bit, 61 

Orange, Prince of, 555 

Order of an integer, 348 

Ordered set, 6, 606 

Origin of, 

mathematical induction, 24 
the word “algebra,” 57 
the word “algorithm,” 56 
Origins of mathematical induction, 24 

Pad, one-time, 311 
p-adic numbers, 173 
Pair, amicable, 267 
Pairwise relatively prime, 98-99 
Palindromic integer, 195 
Parameterization, 527 
Parity check bit, 209 
Parity theorem, Euler, 283 
Partial key disclosure attack on RSA, 328 
Partial quotient, 482 
Partial remainder, 59 
Partition, 277 
conjugate, 279 
function, 278 
restricted, 278 
self-conjugate, 279 
unrestricted, 278 
Parts, aliquot, 268 
Pascal, Blaise, 609-610 
Pascal’s identity, 609 
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Pell, John, 554 
Pell’s equation, 553-558 
Pentagonal number, 21, 284 
Pentagonal number theorem, Euler’s, 284 
Pentagonal numbers, generalized, 286 
Pentium, 54, 86, 89, 129, 262, 263, 266 
Pepin’s test, 438-439 
Perfect number, 256, 266 
even, 256-257 
odd, 266, 268 
Perfect square, 

last two decimal digits, 135 
modulo p, 416 
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of a base b expansion, 474 
of a continued fraction, 516 
length of a pseudorandom number 
generator, 396 

Periodic base b expansion, 473 
Periodic cicada, 122 
Periodic continued fraction, 503 
Perpetual calendar, 197-200 
Phyllotaxis, 31 
it, 6, 499 

Pigeonhole principle 8,9 
Pintz, Janos, 86 
Pirates, 169 
Plaintext, 292 
Pocklington, Henry, 381 
Pocklington’s primality test, 381 
Poker, electronic, 340-341, 429 
Pollard, J. M„ 128, 129, 187, 221 
Pollard, 

p — 1 factorization, 221 
rho factorization, 187-189 
Polygon, regular, 134 
Polygraphic cipher, 300, 308 
Polynomial, cyclotomic, 276-277 
Polynomial congruences, solving, 
171-177, 355-356 
Polynomial time algorithm, 75 
Polynomials, congruence of, 156-157 
Pomerance, Carl, 75, 129 
Positional number system, 45 
Potrzebie system, 63 
Power, prime, 91 
Power generator, 401 
Power residue, 372 
Powerful integer, 120 
Powers, R. E„ 518 
Pre-period, 473 


Primality test, 71, 379-381 
Pocklington’s, 381 
probabilistic, 231, 459 
Proth’s, 382 
Prime, 

in arithmetic progressions, 73 
definition of, 70 
Eisenstein, 597 
Fermat, 131-132 
Gaussian, 582 
Hilbert, 121 
largest known, 73-74 
Mersenne, 73-74, 258-266, 382, 396, 
428, 624 
power, 91 
relatively, 39 
size of the nth, 84 
Sophie Germain, 75 
Wilson, 224 

Prime number theorem, 79-83 
Prime Pages, The, 624 
Prime power, 91 
PrimeNet, 262, 266 
Prime-power factorization, 113 

using to find greatest common divisors, 
115 

using to find least common multiples, 116 
Primes, 

in arithmetic progressions, 73 
infinitude of, 70-71, 76, 101, 102, 124, 
125, 133-134 
distribution of, 79-90 
finding, 71-72 
formula for, 74 
gaps, 84-85 
largest known, 73-74 
primitive roots of, 357 
twin, 86 

PRIMES is in P, 75 

Primitive Pythagorean triple, 522, 536, 561 
Primitive root, 350, 635 
Primitive root, 

method for constructing, 359 
modulo primes, 354-358, 635 
modulo prime squares, 360-362 
modulo powers of primes, 362-365 
of unity, 276, 441 
Prince of Orange, 555 
Principle, pigeonhole, 8-9 
Principle of inclusion-exclusion, 77, 613-614 
Principle of mathematical induction, 23-26 
second, 25 
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Private-key cryptosystem, 321 
Prize, 

for factorizations, 130 

for finding large primes, 265 

for proving the Riemann hypothesis, 83 

for settling Beal’s conjecture, 537 

Wolfskehl, 534 

Probabilistic primality test, 231, 459 
Solovay-Strassen, 459 
Probing sequence, 206 
Problem, 
coconut, 156 
congruent number, 560 
discrete logarithm, 368-369, 372 
hundred fowls, 143 
knapsack, 331 

multiplicative knapsack, 336-337 
Waring ’s, 549 
Problems, Landau, 89-90 
Product, Dirichlet, 247 
Product cipher, 299 
Product notation, 19-20 
Progression, 
arithmetic, 10 
geometric, 10, 17-18 
Project, 

Cunningham, 133 
Manhattan, 15 
Proof, 

minimum-disclosure, 461-462 
primality, 74-75 
zero-knowledge, 461-462 
Property, 
reflexive, 146 
symmetric, 147 
transitive, 147 
well-ordering, 6, 606 
Proth, E., 382 
Proth’s primality test, 382 
Protocol, 

cryptographic, 338 
failure, 328 

key agreement protocol, 338 
Prover, in a zero-knowledge proof, 462 
Pseudoconvergent, 502 
Pseudoprime, 225-227 
Euler, 453—455 
strong, 229, 456 

Pseudorandom number generator, 393-399 
discrete exponential, 401 
Fibonacci, 400-401 
linear congruential, 395 


middle-square, 394 
1/P, 480 
power, 401 

pure multiplicative, 396 
quadratic congruential, 402 
square, 397-398 

Pseudorandom numbers, 393-399, 480 
Ptolemy II, 72 
Public-key cipher, 321-323 
Public-key cryptography, 321-329, 402-403 
Public-key cryptosystem, 321-322 
Pulvizer, the, 102 

Pure multiplicative congruential method, 
396-397 

Purely periodic continued fraction, 511-512 
Puzzle, 141, 143, 162 
jigsaw, 28 
tower of Hanoi, 28 
Pythagoras, 522 
Pythagorean theorem, 522 
Pythagorean triple, 522, 561 
primitive, 522, 524, 561, 603 
Pythagoreans, 522 

Quadratic character of —1, 419^120 
Quadratic character of 2, 421-422 
Quadratic congruential generator, 402 
Quadratic hashing, 429 
Quadratic irrationality, 504, 579 
reduced, 512 

Quadratic nonresidue, 416 
Quadratic reciprocity law, 418, 430-438 
different proofs of, 431 
Euler’s version of, 431-432 
Gauss’s proofs of, 431 
history of, 430-431 
proof of, 434-437, 441, 442 
Quadratic residue, 416 
Quadratic residues 
chain of, 429, 430 
consecutive, 428 

Quadratic residues and primitive roots, 417 
Quadratic sieve, 129 
Queen of mathematics, 146 
Quotient, 37 
Fermat, 224 
partial, 482 

Rabbits, 30 
Rabin, Michael, 329 
Rabin cryptosystem, 329, 429 
Rabin’s probabilistic primality test, 231 
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rad function, 125, 538-539 
Radix, 48 

Ramanujan, Smivasa, 253, 254, 286-287 
Ramanujan congruences, 287 
Random numbers, 15, 393 
Ratio, common, 10 
Rational integer, 579 
Rational number, 6 
Rational numbers, 
countability of, 11-12 
Rational point, 
on curve, 526 
on elliptic curve, 568 
on unit circle, 526-528 
Real number, base b expansion of, 469-471 
Real numbers, 
equivalent, 502 
uncountability of, 478-479 
Reciprocity law, 

for Jacobi symbols, 446-447 
quadratic, 418, 430-438 
Recurrence relation, 
linear homogeneous, 

35 

for the partition function, 286 
Recursive definition, 26-27 
Reduced quadratic irrational, 512 
Reduced residue system, 235 
Reducing modulo m, 147 
Reflexive property, 146 
Regular polygon, constructability, 134, 146 
Relatively prime, 39, 93 
mutually, 98 
pairwise, 98-99 
Remainder, 37 
Remainder, partial, 59 
Representation, 

one’s complement, 51 
two’s complement, 51 
Zeckendorf, 34 
Repunit, 195 
base b, 195 
Residue, 
cubic, 378 
fcth power, 372 
least nonnegative, 147 
quadratic, 416 
system, reduced, 235 
Residues, 

absolute least, 148 
complete system of, 148 
reduced, 235 


Restricted partitions, 278 
Riemann, George Friedrich, 80, 83, 232 
Riemann hypothesis, 83 
Riemann hypothesis, generalized, 23 1 
Riesel, Hans, 262 
Right triangle, 
integer, 560 
rational, 560 
Rijndael algorithm, 310 
Rivest, Ronald, 324 
Robinson, Raphael, 262 
Rogers, Leonard James, 287 
Rogers-Ramanujan identities, 287 
Root, primitive, 350 
of unity, 276 

Root of a polynomial modulo m, 350 
Root of unity, 441 
primitive, 276, 441 
Roman numerals, 45 
Romans, 45 

Round-robin tournament, 202-203 
RSA cryptosystem, 323-328, 354, 390, 500, 
621, 625 

attacks on implementations of, 328-329 
cycling attack on, 354 
digital signatures in, 339-340 
Hastad broadcast attack on, 328,330 
partial key disclosure attack on, 328-329 
security of, 326-327 

Wiener’s low encryption exponent attack, 
328, 500-501 

RSA factoring challenge, 130 
RSA Labs, 130, 625 
cryptography FAQ, 625 
RSA- 129, 129, 130 
RSA- 130, 130 
RSA- 140, 130 
RSA- 155, 130 
RSA-200, 129, 130 

Rule for squaring an integer with final digit 5, 
60 

Rumely, Robert, 75 

Sarrus, P.F., 225 
Saxena, N., 75 
Scottish Cafe, 15 

Second principle of mathematical induction, 
25 

Secret sharing, 342-343 
Security of RSA, 326-327 
Seed, 395 
Selberg, A., 73,81 
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Self-conjugate partition, 279 
Sequence, 10 
aliquot, 268 
Euler-Mullin, 78 
Fibonacci, 30 
formula for terms, 10 
integer, 11 
probing, 206, 429 
Sidon, 53 
spectrum, 14 
super-increasing, 332 
Series, 

Farey, 100 
harmonic, 27 
Set, 

countable, 11, 478 
ordered, 606 
uncountable, 11, 478 
well-ordered, 6 
Shadows, 342 

Shamir, Adi, 323, 324, 340, 463 
Sharing, secret, 342-343 
Shift transformation, 294 
Shifting, 57 
Shuffling cards, 224 
Sidon, Simon, 53 
Sidon sequence, 53 
Sierpinski, Wactaw, 384 
Sierpinski number, 384 
Sieve, 

of Eratosthenes, 71-72 
number field, 129 
quadratic, 129 

Signature, digital, 339-340, 344-345, 
405-407 

Signed message, 339 
Simple continued fraction, 482 
Shafer, Michael, 263 
Sinning, 301 
Skewes, S., 84 
Skewes’ constant, 84 
Sloane, Neil, 1 1 
Slowinski, D., 262 
Smith, Edson, 264 
Sneakers, 324 

Solovay-Strassen probabilistic primality test, 
460 

Solving 

linear congruences, 157-160 
linear diophantine equations, 137-141 
polynomial congruences, 171-177 
Splicing of telephone cables, 41 1-412 


Spread of a splicing scheme, 411 
Square, 
diabolic, 187 
magic, 186 

Square pseudorandom number generator, 
397-399 

Square root, modular, 423-424 
Square-free integer, 120 
Square-free part, 561 
Squaring an integer with final digit 5, 60 
Squares, sums of, 542-548, 599-602 
Stark, Harold, 260 
Strauss, E„ 29 
Step, 
basis, 23 
inductive, 23 
Stream cipher, 310-311 
Stridmo, Odd. M., 264 
Strip, Mobius, 271 
Strong pseudoprime, 229, 373-376, 

454 

Strongly multiplicative function, 247 
Subexponential time, 128 
Substitution cipher, 293 
Subtraction, algorithm for, 56 
Subtraction, complexity of, 54 
Sum, telescoping, 18 
Sum of divisors function, 249, 634 
multiplicativity of, 251 
Summation, 
index of, 16 
notation, 16 

terms of a geometric series, 18 
Summations, 
properties of, 17 
Summatory function, 243 
of Mobius function, 270-271 
Sums of cubes, 549-550 
Sums of squares, 542-548, 599-602 
Super-increasing sequence, 332 
Superperfect integer, 268 
SWAC, 262 

Sylvester, James Joseph, 96, 266, 280 
Symbol, 

Jacobi, 443 
Kronecker, 451 
Legendre, 417 
Symmetric cipher, 321 
Symmetric property, 147 
System, index, 377 
System of congruences, 178-185 
System of linear congruences, 174-181 
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System of residues, 
complete, 148 
reduced, 235 

Table, 

factor, 627-633 
of arithmetic functions, 634 
of continued fractions, 640 
of indices, 636-639 
of primitive roots, 635 
Tao, Terrence, 87 
t -congruent number, 574 
Team, 
away, 203 
home, 203 

Telephone cables, 41 1^113 

Telescoping sum, 18 

Ten most wanted integers, 133 

Term, initial, of a geometric progression, 10 

Terminate, 472 

Terminating base b expansion, 472 
Test, 

divisibility, 191-194 
Kasiski, 302 
Lucas-Lehmer, 260 
Miller’s, 228-229 
Pepin’s, 438-439 

primality, 71-72, 74-75, 228-230, 
378-383, 460 

probabilistic primality, 228-230, 460 
Tetrahedral number, 21 
Theorem, 

Bezout’s, 95 
binomial, 610-611 
Chinese remainder, 162-163 
Dirichlet’s, 9, 73, 118, 497 
Euler parity, 283 
Euler’s, 234 

Euler’s pentagonal number, 284 
Fermat’s last, 530-536 
Fermat’s little, 219-220 
fundamental, of arithmetic, 112 
Gauss’s generalization of Wilson’s, 224 
Green-Tao, 87 

Lagrange’s (on continued fractions), 
506-507 

Lagrange’s (on polynomial congruences), 
355 

Lame’s, 105-106 
prime number, 81 
Wilson’s, 217 

Threshold scheme, 342-343, 359-360 


Thue, Axel, 551 

Thue’s lemma, 551 

Tijdeman, R., 537 

Tournament, round-robin, 202-203 

Tower of Hanoi, 28, 259 

Transcendental number, 7, 452, 476-478 

Transformation, affine, 294, 316 

Transformation, shift, 294 

Transitive property, 147 

Transposition cipher, 316 

Trial division, 71, 127 

Triangle, 

Heron, 574 
Pascal’s, 609-610 
Pythagorean, 522 
right, integer, 560 
right, rational, 560 
Triangular number, 19, 20 
Trichotomy law, 606 
Trivial zeros, 83 
Tuberculosis, 62, 232, 254, 434 
Tunnell, J„ 571-572 
Tuckerman, Bryant, 262 
Twin prime conjecture, 86 
Twin primes, 86 

asymptotic formula conjecture, 92 
application to hashing, 206 
Two squares, sums of, 542-545, 601-602 
Two’s complement representation, 51 

Ujjain, astronomical observatory at, 555 
Ulam, S. M., 15 
Ulam number, 15 
Uncountable set, 12, 15, 478-479 
Unique factorization, 1 12-1 14 
of Gaussian integers, 592-594 
Unique factorization, failure of, 114, 121, 
598 

Unit, in the Gaussian integers, 581 
Unit circle, 

rational points on, 526, 527 
Unit fraction, 29 
Unity 

primitive root of, 276, 441 
root of, 441 

Universal exponent, 386 
Universal product code, 213 
Unrestricted partitions, 278 
Uzbekistan, 57 

Valle-Poussin, C. de la, 79, 81 
van der Corput, Johannes, 87 
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Variable, dummy, 16, 20 
Vega, Jurij, 79 
Vegitarianism, 254 

Verifier, in a zero-knowledge proof, 462 
Vemam, Gilbert, 311 
Vemam cipher, 311 
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0(f) 

7T(x) 

f(x)~g(x) 
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a 
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I 

A 
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Fibonacci number, 30 
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